With the number of security breaches increasing every day, relying on usernames and passwords alone to secure users' accounts is no longer an option. Instead of just making passwords stronger, a more viable solution is to add an additional layer of security to filter out unauthorized users. Two-factor authentication (TFA)—a method in which users are authenticated with something they know and something they have—makes this possible.
With ADSelfService Plus' Windows Logon TFA feature enabled, users have to authenticate themselves in two successive stages to access their Windows machine. The first level of authentication is through something they know: their usual Windows credentials. The second level of authentication—something they have—can be through one of the following:
Windows Logon TFA ensures that there is no risk to sensitive data, even in cases where passwords are compromised. That is, even if unauthorized users gain access to a user's password, they still need access to the user's phone or email to get the verification codes. Moreover, the SMS and email-based verification codes as well as the authentication codes from Duo Security and RSA SecurID are unique to each user. These codes can only be used once and will expire if they aren't used within a certain period of time.
When Windows Logon TFA is enabled, it adds TFA to all Windows local and remote login attempts.
ADSelfService Plus supports Windows Logon TFA on the following operating systems:
Figure 1: How Windows Logon TFA works.
With Windows Logon TFA, ADSelfService Plus provides improved security to your users' accounts, securing them against potential security threats. As it is highly unlikely that every user in a domain would require Windows Logon TFA to be enabled, ADSelfService Plus also offers you the ability to configure TFA based on domain, OU, or group membership.
Here's a GIF of how it works:
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.