Allowing end users to reset their passwords or unlock their own accounts poses security risks. It is not uncommon for an attacker to masquerade as a valid user to steal credentials. To ensure that only the intended users access the self-service portal, ADSelfService Plus employs the following stringent authentication methods to establish users’ identities:
Administrators have the flexibility to choose all authentication procedures or a combination of the available methods based on their needs.
Users enroll with ADSelfService Plus by answering a series of personal questions; the answers are then stored securely in the ADSelfService Plus database after encryption. To reset their passwords or to unlock their accounts, users are required to verify their identity by answering the questions they previously responded to.
Administrators can further strengthen identity verification by adding additional restrictions to the questions and answers.
When a user attempts to reset their password or unlock their account, a verification code is sent to their mobile device or email address. Administrators can also send a secure link via email which the user can use to reset their password. Administrators can configure the number of times a user can enter invalid credentials before they are temporarily blocked from logging in.
Note: Administrators can configure ADSelfService Plus to pull the mobile device and email address from the corresponding LDAP attributes in Active Directory.
ADSelfService Plus supports Google Authenticator, a widely-used, third-party authentication application for mobile phones. Users enroll with ADSelfService Plus by scanning a QR code. When performing any self-service operation, the user is required to open the app and enter the code displayed in Google Authenticator to verify their identity.
In addition to Google Authenticator, administrators can use other third-party, time-based authenticators such as Microsoft Authenticator or Sophos Authenticator.
Multi-factor authentication in ADSelfService Plus supports Duo Security, a widely-trusted access platform that secures organizations by verifying the identities of users. Users are required to enroll with Duo Security. When this authentication procedure is enabled and users attempt to reset passwords or unlock accounts, they are required to select a mode of communication (push notification, SMS, or call) through which Duo Security sends a verification code. Upon successful verification, users can self-service their passwords and accounts. Learn more
ADSelfService Plus can be integrated with RSA SecurID to provide secure authentication for users trying to access a network resource. When resetting a password or unlocking an account, users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received by email or SMS to log in to ADSelfService Plus. Learn more
ADSelfService Plus allows administrators to add RADIUS as an additional avenue for user authentication. After administrators enable RADIUS, users are required to provide their RADIUS passwords to authenticate themselves. Once the account is verified, the user can then proceed with performing the self-service operation or move on to the next authentication procedure as required by protocol. Learn more
In order to prevent malicious users from taking multiple guesses at the answers, administrators can set up a temporary block for any account that racks up a specified number of wrong answers within a certain amount of time.
Push notifications are one of the easiest and quickest methods of authentication. With push notifications enabled, users will get a login request sent to the ADSelfService Plus mobile app on their registered mobile device. They can either approve the authentication request or press deny to reject unexpected requests. Once enrolled, users can also reset their password or unlock their account from their mobile app using push notifications.
There is nothing as unique as a person’s fingerprint. That's why fingerprint authentication is one of the easiest yet most secure authentication methods. If a user's registered mobile device has a fingerprint sensor, they can use their fingerprint to authenticate password resets and account unlocks from the ADSelfService Plus mobile app.
The ADSelfService Plus mobile app is all users need to use QR codes for authentication. Users can simply scan the QR code displayed on their ADSelfService Plus web portal from their registered mobile device to complete the process.
One of the most commonly used methods of authentication are time-based one-time passcodes (TOTPs). ADSelfService Plus' mobile app generates TOTPs that change every minute. Users have to enter the 6-digit passcode during the authentication process within a specific amount of time to complete their identity verification.
ADSelfService Plus allows administrators to set up Active Directory (AD)-based security questions as one of the multi-factor authentication methods to verify user identity during self-service password reset. When this method is enabled, the security questions are linked to an AD attribute, and users are successfully authenticated when their answers match that specific attribute value.
For example, assume that the admin has selected "What is your social security number?" as an AD-based security question and has linked a custom attribute of the user that has the social security number as its value. Now, whenever a user attempts a password reset, they're required to enter their social security number as specified in the value of the custom attribute as an answer. If entered incorrectly, the password reset operation is aborted.
Since this technique utilizes users' AD attributes, they need not enroll with ADSelfService Plus separately.
The identity verification process starts when the user accesses the ADSelfService Plus application and clicks on the "Reset Password" or "Unlock Account" link. After the user enters their username and the domain, the ADSelfService Plus server performs a series of security checks.
Domain affiliation check: Checks if the user is affiliated with the specified domain.
Policy settings check: Checks if the user has permission to reset their password or unlock their account through ADSelfService Plus. ADSelfService Plus policies can be configured so that end users only have access to certain self-service features.
Enrollment status check: Checks if the user has enrolled with ADSelfService Plus by answering the security questions, updating their mobile number or email address, and synchronizing their Google Authenticator account. Only enrolled users are allowed to reset passwords and unlock accounts.
Blocked users check: Checks if the user account is blocked by the ADSelfService Plus server from performing self-service actions due to multiple invalid actions. Users who fail to enter the correct verification code and/or answer(s) to the security question(s) will be blocked by the application after a certain number of attempts as set by the ADSelfService Plus administrator. This helps prevent Bot-based attacks, denial-of-service attacks, and other types of attacks.
Once the preliminary checks are complete, ADSelfService Plus verifies the user's identity by running the authentication procedures configured by the administrator.
Added layer of security: The widely used question-and-answer security method, employed in social media, has become flawed because users supply questions and answers that are easy for hackers to find. By adding verification codes and Google Authenticator to the identity verification process, ADSelfService Plus has made accounts more secure.
User friendly: Easy access to email and mobile phones has made those devices a simpler option for users to manage their accounts on the go.
Power to the administrator: Administrators have complete control over whether to choose any one or all of the authentication modes for added security.
Email notification upon password self-service: Whenever a user completes a self-service action, they'll receive an email notification from ADSelfService Plus. The email notification acts as an alert in case of unauthorized account activity and allows the user to react and prevent further damage.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.