- Free Edition
- Quick Links
- Multi-factor authentication
- Active Directory MFA
- Endpoint MFA
- Windows login MFA
- Two-factor authentication
- Conditional access
- Offline MFA
- FIDO2 MFA
- Passwordless authentication
- MFA for VPN logons
- MFA for OWA logons
- MFA for Microsoft 365 users
- MFA for UAC
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for Windows servers
- MFA for RDP
- Device-based MFA
- MFA for cloud apps
- Phishing-resistant MFA
- Adaptive MFA
- Password management
- Self-service password reset
- Self-service account unlock
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Web-based domain password change
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Password management and security
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is device-based MFA, and why do you need it?
Device-based or machine-based MFA means that the MFA process is initiated for a user based on the device that they log on to, instead of being based on their user account properties and policy settings. This provides additional security, authentication, device trust, and RDP login benefits for users.
The usual Windows machine MFA works by prompting a second authentication factor based on the user account as they try to log on to a specific device. The respective user's policy settings and enrollment status dictate the initiation of the Windows logon MFA process. This means that, if a user does not have any policy settings applied, the MFA process will be skipped for them during logon to the same device for which other enrolled users are required to complete MFA.
Not having MFA enabled is a huge drawback when a user tries to log on to a business-critical device, say a server machine. MFA should be mandated for all users equally in such cases.
Device-based MFA with ADSelfService Plus
ManageEngine ADSelfService Plus offers device-based or computer-based MFA, where MFA is triggered based on the device's policy settings and not the user account's during logon. When this feature is enabled, all users logging on to a particular machine must prove their identities using MFA, regardless of their enrollment status, self-service policy membership, or ADSelfService Plus server connectivity. The authenticators prompted to the user will be similar to those configured in ADSelfService Plus' Windows logon MFA settings.
How does device-based (or machine-based) MFA work?
When device-based MFA is enforced for a particular machine, any user trying to access it will be requested to prove their identity using MFA to successfully log in to the machine. The MFA authenticators prompted to the user will be based on the authenticators configured for them in the machine logon MFA.
Users can choose to enable the device trust option for computer-based MFA. When this is done, they will be allowed to log in to the machine without performing MFA for a specified duration after initial identity verification.
Supported device types for machine-based MFA
ADSelfService Plus supports the following:
- Windows machine MFA
- Linux machine MFA
- macOS machine MFA
- Server MFA
- Workstation MFA
Benefits of enabling machine-based MFA using ADSelfService Plus
-
Security for critical machines
Ensures MFA protection during all logons, irrespective of the user account, for business-critical servers and machines.
-
Wide variety of authenticators
Provides device-based MFA by choosing from ADSefService Plus' various authentication options.
-
Device trust options for an enhanced user experience
Enables quick logins for users to their machines without MFA for a specified duration after initial identity verification through the trusted device option.
-
MFA for RDP logins
Secures remote desktop logins to a particular critical device from other machines with MFA.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
