Key Takeaways
- Regulatory pressure for MFA is accelerating in 2026, with PCI DSS, HIPAA, DORA, and NYDFS 23 NYCRR all either requiring or strongly implying MFA adoption.
- Cyber insurers are now denying coverage — not just penalizing — organizations without verified, comprehensive MFA controls in place.
- Stolen credentials remain the number one entry point for ransomware attacks. MFA blocks 99.9% of automated attacks. When evaluating an MFA solution for IBM i, flexibility, phased rollout, and IAM integration are the factors that matter most
For years, multi-factor authentication (MFA) on IBM i has been on security teams’ to-do lists. In 2026, it’s moved to the top — and it’s not moving back down.
What’s changed isn’t just the threat landscape, though that’s gotten significantly worse. What’s changed is who’s asking the questions. It’s no longer just security teams pushing for MFA. It’s compliance officers, legal teams, CISOs, and increasingly, cyber insurance providers.
Here’s what’s driving that shift, and what it means for your IBM i environment.
Which Regulations Now Require MFA for IBM i?
When we take a look across everything being written and said about cybersecurity regulation heading into 2026, six themes keep coming up:
- Regulatory uncertainty
- Cybersecurity mesh
- Audit reporting
- AI and GenAI
- Data protection mandates
- Zero Trust
Together, they’re pushing organizations toward a security posture that’s documented, verifiable, and integrated — not siloed.
The specific compliance changes matter too.
- PCI DSS v4.0.1 now explicitly mandates MFA for any system handling payment card data, with clear requirements around replay attack prevention and multi-factor verification.
- HIPAA is undergoing its most significant overhaul since 2013 — a final rule expected in May 2026 that eliminates previously “addressable” safeguards and makes MFA mandatory.
- DORA is raising the bar for financial institutions across the EU on IT risk management and access control.
The common thread: multi-factor authentication is no longer a recommendation embedded in a framework, and IBM i systems aren’t exempt.
Does Cyber Insurance Require MFA?
Here’s one thing that tends to surprise people the most: MFA is now the number one reason organizations’ cyber insurance claims get denied.
Insurers want verified proof that controls are actually working. Documentation alone doesn’t cut it anymore. And organizations with MFA on some systems but not others are increasingly being treated the same as having no MFA at all.
A recent global survey of 650 CISOs found that 78% are now worried about personal liability for security incidents — up from 56% the year prior. Accountability for security failures is no longer contained to the IT team. Executives are being held personally responsible.
For anyone building the internal business case for IBM i MFA investment, that’s the argument to bring into the room.
Why Stolen Credentials Are the #1 Ransomware Entry Point
Here’s something worth sitting with: ransomware attacks aren’t primarily succeeding because of sophisticated zero-day exploits. They’re succeeding because someone got hold of a username and password.
Stolen credentials are the number one entry point for ransomware today, and passwords alone offer no real protection against that. Multi-factor authentication adds the layer that makes stolen credentials useless on their own — combining something you know, something you have, and something you are, so an attacker needs all three. This is true across all platforms, including IBM i.
The numbers speak for themselves. Organizations are facing close to 2,000 cyber attacks per week on average — a 70% increase since 2023. Ransomware damage costs are projected to hit $74 billion this year.
And here’s the one that really lands: ransomware attacks were previously predicted to hit every two seconds by 2031. We’re already there — five years ahead of schedule. What was a forecast for the end of the decade is now just the reality we’re operating in today.
MFA isn’t bulletproof, but it blocks over 99.9% of account compromise attacks, making it by far the most effective single step available to protect system access.
ASSESSMENTAssure Security Risk Assessment
This free assessment helps you understand where your IBM i stands today—without overloading your IT team or hiring outside consultants.
What Should You Look for in an IBM i MFA Solution?
Once the “why” is settled, the more practical question is “which one?” Not every multi-factor authentication solution is built for IBM i environments, and the differences matter — especially when it comes to achieving compliance, managing users at scale, and rolling out without disrupting operations.
When thinking through what to evaluate, a few things consistently rise to the top:
- Does the solution support multiple authentication methods — push notifications, on-demand authentication, TOTP — or just one?
- Is a phased implementation possible, starting with high-risk access points like remote access and privileged accounts?
- Does it integrate with the IAM platforms already in use across the organization?
- Does it support older OS versions, or does it require the latest hardware to function?
How Do You Implement MFA on IBM i?
It can feel overwhelming to know where to begin with IBM i multi-factor authentication, but the good news is it doesn’t have to happen all at once.
The right first step is understanding which regulations apply: PCI DSS for organizations processing payments, HIPAA for healthcare, DORA or NYDFS for financial institutions.
Once compliance obligations are clear, it’s easier to prioritize — starting with the highest-risk access points first, like remote access, privileged accounts, and administrative users, and expanding from there.
A phased approach makes it possible to test, validate, and roll out gradually without disrupting the entire user base on day one.
Hear more practical tips on from our experts in the on-demand webinar, Securing Access: Best Practices for Multi-Factor Authentication on IBM i.
Want to talk through your IBM i security posture more broadly before jumping into an MFA evaluation? Sign up for a free risk assessment and our team will be in touch.
Frequently Asked Questions About MFA on IBM i
Is MFA required for IBM i compliance?
Yes. As of 2026, multi-factor authentication is explicitly required under PCI DSS v4.0.1 for any system processing payment card data, and is expected to become mandatory under the updated HIPAA final rule. DORA and NYDFS also require strong access controls — which in practice includes MFA — for financial institutions. IBM i environments are subject to the same requirements as any other platform.
Can I lose cyber insurance coverage for not having MFA on IBM i?
Yes. Cyber insurers are now denying or restricting coverage for organizations that cannot verify active, comprehensive MFA controls. Partial coverage (MFA on some systems but not IBM i) is increasingly treated the same as having no MFA at all.
What is the best MFA solution for IBM i?
The best IBM i MFA solution is one that supports multiple authentication methods (push, TOTP, on-demand), integrates with your existing IAM platforms, supports older OS versions, and allows for phased rollout so you can start with high-risk access points without disrupting all users at once.
Does HIPAA require multi-factor authentication?
Under the proposed HIPAA Security Rule updates expected to be finalized in 2026, multi-factor authentication will shift from an “addressable” safeguard to a mandatory requirement. Organizations handling protected health information (PHI) — including on IBM i systems — should treat MFA as a compliance requirement now.
How do I add MFA to IBM i without replacing existing systems?
The most effective approach is a phased implementation: start with remote access and privileged accounts, validate the rollout, then expand to broader user groups. Look for a solution that integrates with your existing IAM setup and supports your current OS version to avoid unnecessary infrastructure changes.
