Nov 16, 2020
- Improved Failover. Powertech MFA's failover capabilities, which provide redundancy and continued authentication service in the case of server failure, have been redesigned with improvements for greater ease-of use, visibility, integrity, and security:
- A dashboard now indicates the current health and status of Powertech MFA's environment, including the status of each connected system's Authentication Manager, Database Server, and Messaging Service.
- Failover can be triggered manually from within the Insite console to accommodate server maintenance.
- Failover events are logged in the system event log.
- Administrators can be notified of failover events automatically via email.
- Failover events are now communicated over a secure port using SSL encryption using Powertech MFA's message broker (ActiveMQ).
- Enhanced Product Security. Security has been improved with the addition intrusion detection, notification, and lockdown capabilities, as well as internal security enhancements.
- Powertech MFA administrators can automatically disable user accounts that repeatedly fail to authenticate successfully.
- Inactive user accounts can be automatically disabled after a predetermined number of days.
- Users are now prompted to enter a one-time password from one of their registered devices upon User Portal login or, alternatively, an emergency one-time password provided by their administrator.
- Security for endpoint requests sent from HelpSystems Insite to Powertech MFA's Authentication Manager has been improved.
- On Windows, Tomcat's server.xml is now only readable by the Windows administrator, and the Tomcat service is now configured to Run as Administrator.
- On Linux, Tomcat's server.xml is now only readable by root, and the Tomcat service is configured to run as root.
- The API key used to make Firebase calls is now encrypted and has been moved into the Powertech MFA database.
- Expanded Exit Point Support. Authentication is now supported for the following additional exit points:
- DDM/DRDA Server
- Database Svr-Initiation
- File Server
- Remote Command
- Retrieve command exit programs
- TCP Signon Server
- Authentication Suppression. Unwanted exit point authentication requests can now be eliminated using Authentication Suppression. Once a user has authenticated once for a specific request via a specific exit point, that user will not be prompted again for a duration specified by the administrator.
- The Authentication Suppression value can be set for IBM i Agent systems on the New/Edit System and New/Edit Default System panes in Insite.
- Authentication suppression is active by default for the IBM i user initial program, which provides green screen sign-on authentication.
- Improved Logging and Reporting. Powertech MFA's logging and reporting capabilities have been expanded.
- You can now view User Portal signon activity and detailed information about authentication failures and all device-related actions, including device addition, removal, and disabling.
- The logging level of all available Authentication Managers can now be configured by a Powertech MFA administrator.
- Log files can now be downloaded from authentication manager servers to aid in troubleshooting.
- Move or Copy IBM i Agent Configurations. Powertech MFA's IBM i Agent configuration, including status, exit point settings, and user settings, can now be easily copied to a different IBM i system. During this process, the original configuration can be removed to help accommodate maintenance issues such as hardware upgrades.
- Bulk Profile Importing. Many Powertech MFA users or IBM i profiles can now be imported into the software quickly using .csv documents.
- The way in which validation is performed when a Powertech MFA user signs into the Desktop Agent or User Portal using their IBM i credentials has been updated to minimize the impact on performance when the TCP Signon Server is active.
- The Authentication Manager is now supported on Linux PowerPC operating systems.
- A global timeout value can now be set for communications between the IBM i and the Powertech MFA Authentication Manager.
- The ActiveMQ message broker is now used for communication with Powertech MFA's Desktop Agent.
- The Port Configurator accompanying the Authentication Manager installer has been updated and simplified to accommodate Powertech MFA's enhanced infrastructure.
- The broken Desktop Agent shortcut in the Windows Start Menu has been corrected.
- Powertech MFA's Authentication Manager can now delegate authentication calls to a RADIUS server to authenticate users.
- Logging has been added to the desktop agent to assist with troubleshooting.
- Updates to the Multi-Factor Authentication Desktop Agent.
- Updates to the Multi-Factor Authentication IBM i Agent.
- The System Selection screen of the Insite UI has been updated to provide better feedback on each IBM i system, including information on systems that cannot be supported.
- The product has been renamed Powertech Multi-Factor Authentication. The new name is now used in the UI for all product modules and accompanying documentation. (Previously the product was called "Access Authenticator.")
- The product name has been added to the title of the Deactivate Authentication panel (PMA3985).
- Updates to the Powertech Multi-Factor Authentication IBM i Agent.
- Documentation for securing IBM i and Authentication Manager connections with TLS has been improved.
- Improvements and fixes to the IBM i Agent with the release of version R01M04. See Multi-Factor Authentication IBM i Agent.
- Administrators can now make changes to the initial program that is now stored in the configuration file for each user profile being authenticated by Access Authenticator. This can be done without deactivating and reactivating the user. A new option (option 5) on the Main Menu, and the CHGAAINITP command, have been added for this purpose.
- The Windows version of the backup/restore database script that is packaged with the Authentication Manager has been repaired.
- The HelpSystems Insite server address on the IBM i agent is now updated with each Activation from Insite.
- The 'Select All' check box on the Users screen is now cleared after deleting all users.
- Service scripts are now always upgraded during installation on Linux.
- Extra license expiry emails are no longer sent when the license expiry email feature is active.
- The character limit of the LDAP Context field in Access Authenticator's LDAP screen has been increased to 300 characters.
- Green screen authentication is no longer disabled when the Kafka server is down or unreachable.
- The Insite Server address (listed in the Insite Server Configuration panel) is now cleared if the IBM i agent is removed from HelpSystems Insite.
- An issue preventing the ability to delete Access Authenticator users after a YubiKey or mobile device has been added has been resolved.
- A problem preventing the ability to sync a mobile device when the YubiKey device type is disabled has been resolved.
- Users can now choose to authenticate using a one-time password (OTP) generated by a soft token. The soft token is a PIN-protected authentication method launched from the desktop agent.
- APIs are now available that allow third parties to use two factor authentication provided by Access Authenticator in their own products and processes. The APIs are documented and include usage examples.
- User Portal updates: The list of authentication methods in the User Portal now includes all available authentication methods, as well as each method's status (enabled/disabled). The soft token has been added and the backup list of OTPs is now included as a device.
- Commands have been added to start and stop the Access Authenticator IBM i agent (PMASTRMON and PMAENDMON) to help facilitate system backup and other maintenance procedures.
- An issue preventing Access Authenticator users from being added with the IE11 web browser has been resolved.
- The jackson-databind jar file used in the Authentication Manager has been updated to version 2.9.4 for improved security.
- Usability improvements.
- The Access Authenticator Windows installer is no longer required to create a Windows user account during installation in order to start and stop the services associated with Access Authenticator. This enhancement improves stability.
- Audit logs and reports have been added. Reports now allow administrators to view Access Authenticator system activities including authentication data and system event information, as well as an audit log of Access Authenticator configuration information. See Reports screen for details.
- Email server support has been improved. Access Authenticator now provides administrators more flexibility when connecting to the email server resources used to distribute email alerts generated by Access Authenticator. See Email Settings screen for details.
- Notifications of an impending license expiration have been added. Administrators can now be sent a notification when the Access Authenticator license period is nearing expiration. See Settings screen for details.
- LDAP server settings can now be validated before saving. LDAP server settings can now be validated to ensure a connection can be made without errors prior to saving the LDAP settings. See LDAP Settings screen for details.
- Exit Point activation now prompts to activate the agent system. If an IBM i agent is deactivated and an administrator activates an Exit Point within the agent settings for that system and saves, the administrator is now prompted to activate the agent. See New/Edit System screen for details.
- Reliability improvements have been made to the Access Authenticator mobile app. The mobile app can now remain synced after the primary authentication manager has failed.
- Access Authenticator Roles have been added to Insite. See Roles in the Insite help for details.
- Installation Improvements. The Access Authenticator installation process has been enhanced and simplified.
- Improved Mobile App Synchronization. Primary and secondary authentication managers are now included in the syncing process, eliminating the need to re-sync the mobile app after authentication manager failover.
- Exit point authentication errors are now displayed as notifications in the Desktop Agent.
- Toggle buttons have been added to show/hide passwords in the Desktop Agent.
- A warning now notifies the administrator if all authentication methods are turned off.
- The exit point status is now evident as exit points are activated/deactivated.
- Usability/UI improvements have been made to the Email Settings screen, Access Authenticator Settings screen, New/Edit User Screen, and other areas.
- Access Authenticator documentation has been improved.
Access Authenticator has been released. Access Authenticator allows you to implement multi-factor authentication across your IBM i environment.
- Comprehensive Authentication Manager. Access Authenticator is administered from the HelpSystems Insite web interface. The authentication manager is a powerful tool that makes it easy to configure multi-factor authentication to meet your organization’s needs.
From here, you can import users from Active Directory, invite users to the self-service portal, and activate or deactivate multi-factor authentication for users and groups. Users can also be disabled without removing them from the database altogether.
- Intuitive User Portal. The self-service portal allows users to complete the Access Authenticator registration process. This easy-to-use portal is also where users maintain their authentication credentials and update their options.
In compliance with PCI DSS 8.2.2, which requires users to verify their identities before modifying any authentication credentials, users must verify their usernames and passwords before making changes to their accounts.
Multiple Authentication Methods. Access Authenticator allows administrators to select from several different methods of authentication for your users’ convenience and to meet your organization’s security requirements including:
One-time password generation
Biometric fingerprint scanning
See Access Authenticator for more product details.
See Access Authenticator Reference Manual for product documentation.