Pricing  Get Quote

Endpoint multi-factor authentication

with ADSelfService Plus

Start free trial

Barricade access to a hacker’s point of contact

With an estimated 70 percent of breaches starting at endpoints, it's high time that admins take action to prevent these intrusions by leveraging multi-factor authentication (MFA). Endpoint MFA ensures users prove their identity through additional authentication methods like biometrics during workstation, server, VPN and OWA logins. Implementing Endpoint MFA mitigates the risks of exposing sensitive data, even in cases where passwords are compromised due to inadequate password hygiene.

Redefining endpoint security with MFA

ADSelfService Plus offers Endpoint MFA to help organizations secure multiple points of access to organization's sensitive resources. ADSelfService Plus' Endpoint MFA secures access to:

  • Windows, macOS, and Linux machines.
  • Top VPN providers like Fortinet, Cisco AnyConnect, Pulse, and more.
  • Endpoints supporting RADIUS authentication such as Citrix Gateway, VMWare Horizon, and Microsoft Remote Desktop Gateway (RDP).
  • OWA logins

Moreover, ADSelfService Plus offers offline MFA for Windows machines which ensures the security of offline remote workers during machine logons.

Complete endpoint protection: ADSelfService Plus' Endpoint MFA in action

With Endpoint MFA in place, users are first authenticated through Active Directory (AD) domain credentials, and next through authentication techniques such as one-time passwords (OTPs) sent via SMS or email, or Yubico OTP configured in ADSelfService Plus. So, even if hackers leverage compromised user credentials, their attack attempts can be thwarted through MFA.

    According to the SANS Software Security Institute, organizations are hesitant to employ MFA because of:

  • The misconception that MFA always requires external hardware devices.
  • Concerns that MFA might affect user productivity.

ADSelfService Plus dispels both these misconceptions by providing 20 authentication techniques that don't always require external hardware devices (e.g. AD-based security questions) or affect user productivity (e.g. biometrics). However, it stands to reason that different sets of users are comfortable with different authentication techniques. Asking users who are only familiar with OTPs to use hardware tokens will generate a lot of complaints. Also, some users have more privileges than others; protecting these privileged accounts with additional authentication techniques makes more sense than implementing the same number of authentication factors for all users across the organization.

ADSelfService Plus allows admins to utilize different approaches to different sets of users to limit user disruptions. For example, with ADSelfService Plus, admins have the option to enforce OTPs, tokens, or security questions for one set of users (say, users inside the LAN network); and configure more stringent authentication techniques like fingerprint or FaceID authentication for another set of users (say, C-level executives or remote employees).

Supported authentication techniques

  1. Fingerprint
  2. Face ID
  3. Duo Security
  4. Microsoft Authenticator

Find the complete list of supported authenticators here.

  1. Google Authenticator
  2. YubiKey Authenticator
  3. Email verification
  4. SMS verification

Simplify administration

ADSelfService Plus provides features to help admins:

  • Enable MFA based on OUs and groups
    Enforce endpoint MFA and use different sets of authentication techniques for different users based on domain, OU, and group memberships.
  • Ensure 100 percent enrollment
    Automate user enrollment by importing users' domain information through CSV files or force enrollment using login scripts.
  • Get detailed reports
    Gain comprehensive insights on user activities such as identity verification failures and login attempts, and also find users with weak passwords.
  • Simplify authentication
    Use authentication techniques like fingerprint authentication, push notification authentication, YubiKey, and QR code-based authentication to help users prove their identity with minimal effort.

Benefits of multi-factor authentication


    Seamless login experience

    Ensure a seamless login experience for users irrespective of the platform they use.


    Prevent sophisticated cyberattacks

    Get a leg up on the challenges caused by weak user passwords, password reuse, and credential-based attacks.


    Ensure compliance

    Meet NIST SP 800-63B, GDPR, and HIPPA compliance mandates.


    Secure remote logon attempts

    Secure both local and remote login attempts to Windows, macOS, and Linux machines.

Control user access to Windows,
macOS, and Linux today.



1. What is endpoint MFA?

Endpoint multi-factor authentication (MFA) secures all user access to an organization's endpoints, such as networks, workstations, virtual machines, and servers, with multiple identity verification factors.

2. Does my organization need endpoint protection with MFA?

Yes, employing an endpoint MFA solution in your organization is a recommended practice. Organizational endpoints act like doorways which provide access to organizational data at different levels. Traditional methods of authentication, like username and password, cannot protect endpoints on their own because they can easily be compromised. It's essential to add extra layers of security to endpoints so that there are no unauthorized data access or breach incidents.

3. How can I secure the endpoints in my organization?

You can achieve top-notch endpoint security in your organization with endpoint MFA using ADSelfService Plus. With ADSelfService Plus, you can implement MFA for endpoints like:
  • Windows, macOS, and Linux machines
  • Top VPN providers like Fortinet, Cisco AnyConnect, Pulse, and more
  • Outlook on the web or OWA
  • Endpoints supporting RADIUS authentication, such as Citrix Gateway, VMWare Horizon, and Microsoft Remote Desktop Gateway (RDP)

To get a better understanding of ADSelfService Plus' endpoint MFA capability, please schedule a personalized web demo with our product experts.

4. What are the different types of authenticators that ADSelfService Plus offers for endpoint MFA?

ADSelfService Plus offers 20 different authenticators to secure your endpoints. You can choose from a range of strong yet easy to configure authenticators, like YubiKey, biometrics, smart card, Microsoft Authenticator, Duo Security, RSA SecurID, and custom TOTP, to barricade your endpoints against cyberattacks.

ADSelfService Plus also supports


    Adaptive MFA

    Enable context-based MFA with 20 different authentication factors for endpoint and application logins.

    Learn more  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by