Comprehensive user identity verification for endpoint security

Unified user identity verification across all access scenarios

In today's security landscape, relying solely on passwords is insufficient. From phishing and credential stuffing to social engineering attacks, identity-based threats are on the rise. ManageEngine ADSelfService Plus ensures that only legitimate users gain access to enterprise endpoints by enforcing reliable user identity verification at every checkpoint.

User identity verification is critical whether users are accessing enterprise machines, resetting passwords, or authenticating into enterprise applications. ADSelfService Plus enables organizations to verify user identity through a combination of primary and fallback methods, ensuring comprehensive identity verification across all scenarios.

Identity verification methods supported

With ADSelfService Plus, administrators can configure one or more identity verification methods based on organizational policies, risk level, or authentication scenarios. Organizations can verify identity using:

1. Security Questions and Answers
2. Email Verification
3. SMS Verification
4. Google Authenticator
5. Microsoft Authenticator
6. Azure AD MFA
7. Duo Security
8. RSA SecurID
9. RADIUS Authentication
10. Push Notification Authentication
11. Biometric Authentication
12. QR Code-Based Authentication
13. TOTP Authentication
14. SAML Authentication
15. AD Security Questions
16. YubiKey Authentication
17. Zoho OneAuth TOTP Authentication
18. Smart Card Authentication
19. Custom TOTP Authenticator
20. FIDO Passkeys

User identity verification scenarios supported

1. Domain identity verification for endpoint security

ADSelfService Plus provides consistent Active Directory-based identity verification via multi-factor authentication (MFA) for Windows, macOS, and Linux machines; VPN access MFA; MFA for RDP; and MFA for enterprise apps.

When organizations need to verify user identity for domain access, ADSelfService Plus complements AD’s native authentication by performing additional identity verification using MFA after AD validates the username and password.

2. Passwordless identity verification

ADSelfService Plus enables users to securely access enterprise applications, VPNs, and cloud services without entering passwords. Authentication relies on verified identity factors such as FIDO2 security keys, authenticator apps, push notifications, or biometrics. Administrators can configure fallback methods like backup codes to verify identity when primary methods are unavailable. This approach strengthens user identity verification, streamlines enterprise access, and reduces credential-related risks.

3. Local user account identity verification

ADSelfService Plus extends user identity verification to local Windows accounts, including administrator and standard users on machines connected to workgroups. Users can verify their identity using Duo Security, RSA SecurID, TOTP authenticator apps, email and SMS passcodes, ensuring secure access even on offline devices. Administrators can enforce MFA policies for local admin and user accounts, helping prevent unauthorized access, privilege escalation, and endpoint compromise.

4. Identity verification during fallback with backup codes

If a user loses access to their registered mobile device or authenticator app, backup codes act as a reliable recovery method to verify user identity. These backup codes are generated by the administrator or the user during enrollment. They are then downloaded and stored securely to be used for identity verification when other authenticators

Additional identity assurance controls

ADSelfService Plus strengthens user identity verification further through layered defense mechanisms:

• CAPTCHA enforcement to block automated or scripted identity attacks.
• Session timeout and idle logout to prevent account misuse after authentication.
• Trusted devices to allow identity verification to be skipped for frequently used machines.
• Blocking users after repeated failed verification attempts to prevent brute-force or credential-stuffing attacks.

User identity verification best practices

For effectively setting user identity verification by balancing identity security and usability administrators should consider these best practices:

• Prioritize critical access points: Apply stronger identity verification methods like biometrics, FIDO2 keys, or authenticator apps to high-risk accounts, VPN access, and administrative logins.
• Use multi-factor authentication: Combine multiple factors, for example biometrics with TOTPs or push notifications, to strengthen security without overburdening users.
• Enable fallback options: Provide backup codes or secondary methods to allow users to verify user identity even if their primary device or authenticator is unavailable.
• Leverage contextual policies: Adjust verification prompts dynamically based on IP address, device type, geolocation, or access time, reducing friction for trusted end users while maintaining strong protection.
• Educate and support users: Provide clear instructions for enrollment, MFA use, and fallback methods to improve adoption and reduce support tickets.

By following these best practices, organizations can implement an identity verification flow that is secure, seamless, and scalable across all endpoints and access scenarios.

Benefits of user identity verification

Organiztions choosing ADSelfService Plus for user identity verification benefit from:

• Stronger protection against account compromise: ADSelfService Plus protects user identities through a variety of authenticators such as biometrics, hardware tokens, authenticator apps, email and SMS passcodes.
• Consistent identity validation across all access points: ADSelfService Plus helps verify identity for machine logins, RDP access, VPN logins, UAC prompts, and OWA access, ensuring comprehensive user identity verification.
• Flexible configuration for administrators: ADSelfService Plus allows admins to enforce single, two-layered, or three-layered identity verification for different policies, adapting to different security requirements for different users.
• Improved user experience through conditional access: ADSelfService Plus adapts user identity verification prompts based on IP address, device, location, and time, reducing friction while maintaining security.
• Comprehensive auditing and notifications: ADSelfService Plus provides a built-in reporting system with automatic logging of all identity verification events, enabling organizations to track and verify user identity across their environment.
• Regulatory compliance and audit readiness: ADSelfService Plus helps organizations meet industry standards such as NIST, ISO 27001, GDPR, and SOC 2 by helping enforce advanced identity verification methods for critical scenarios.

To learn more about implementing comprehensive user identity verification solutions that verify identity across all enterprise access points, explore ADSelfService Plus today.