Pricing  Get Quote

Device-based MFA

Secure user access to critical machines

with machine-based MFA

Start free trial

What is device-based MFA, and why do you need it?

Device-based or machine-based MFA means that the MFA process is initiated for a user based on the device that they log on to, instead of being based on their user account properties and policy settings. This provides additional security, authentication, device trust, and RDP login benefits for users.

The usual Windows machine MFA works by prompting a second authentication factor based on the user account as they try to log on to a specific device. The respective user's policy settings and enrollment status dictate the initiation of the Windows logon MFA process. This means that, if a user does not have any policy settings applied, the MFA process will be skipped for them during logon to the same device for which other enrolled users are required to complete MFA.

Not having MFA enabled is a huge drawback when a user tries to log on to a business-critical device, say a server machine. MFA should be mandated for all users equally in such cases.

Device-based MFA with ADSelfService Plus

ManageEngine ADSelfService Plus offers device-based or computer-based MFA, where MFA is triggered based on the device's policy settings and not the user account's during logon. When this feature is enabled, all users logging on to a particular machine must prove their identities using MFA, regardless of their enrollment status, self-service policy membership, or ADSelfService Plus server connectivity. The authenticators prompted to the user will be similar to those configured in ADSelfService Plus' Windows logon MFA settings.

  • Device-based MFA with ADSelfService Plus - 2
  • Device-based MFA with ADSelfService Plus - 1

How does device-based (or machine-based) MFA work?

When device-based MFA is enforced for a particular machine, any user trying to access it will be requested to prove their identity using MFA to successfully log in to the machine. The MFA authenticators prompted to the user will be based on the authenticators configured for them in the machine logon MFA.

Users can choose to enable the device trust option for computer-based MFA. When this is done, they will be allowed to log in to the machine without performing MFA for a specified duration after initial identity verification.

Supported device types for machine-based MFA

ADSelfService Plus supports the following:

  • Windows machine MFA
  • Linux machine MFA
  • macOS machine MFA
  • Server MFA
  • Workstation MFA

Benefits of enabling machine-based MFA using ADSelfService Plus


    Security for critical machines

    Ensures MFA protection during all logons, irrespective of the user account, for business-critical servers and machines.


    Wide variety of authenticators

    Provides device-based MFA by choosing from ADSefService Plus' various authentication options.


    Device trust options for an enhanced user experience

    Enables quick logins for users to their machines without MFA for a specified duration after initial identity verification through the trusted device option.


    MFA for RDP logins

    Secures remote desktop logins to a particular critical device from other machines with MFA.

Protect your business-critical machines with ADSelfService Plus' device-based MFA

Get your free trial

ADSelfService Plus also supports


    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by