Username/password combinations are hackable. Enforcing password policies with long passwords (phrases) and other increasingly strict guidelines are proven to make it more difficult to hack a password. But, given enough time and computing power, modern hacking algorithms will eventually find a way in.
You need additional lines of defense.
Multi-factor authentication
This is where MFA comes into play, especially when protecting access to sensitive data. MFA suspends the login process until the system receivs proof of a secondary form of authentication. This is usually a code send to a known device such as an email address or a mobile phone. Authenticator apps are another common (and more secure) approach. With MFA, the account access will fail because the hacker will not be able to provide the code.
Our products, i2Pass and SafeNet/i provide out-of-the-box MFA support.
Tip: a common way to "intercept" the user login process to add secondary authentication is the "initial program" (INLPGM) in the user profile. If you want to do this, use Retrieve Job Attributes (RTVJOBA) in your code to get user profile information, such as email address.
Exit Points
The IBM i OS provides other means of protection after user login. For example, correct and strict configuration of authorities and authorization lists will limit the scope of an intruder's actions. However, exit points are probably the most effective way of limiting access within the OS. By registering exit programs for critical connections like FTP, Telnet, etc. you are effectively overriding the OS security configuration with an extra layer of protection. If the attempted action fails the exit point test then it doesn't even hit the operating system.
Our SafeNet/i product is a software firewall that uses exit points to offer this type of protection.