2FA for Windows login

Enforce MFA for Windows logins and thwart unauthorized access

Stolen or weak machine passwords are a prevalent attack vector. The Microsoft Digital Defense Report 2024 states that 99% of identity cyberattacks are password-based. Advancements in credential-based attacks mean that when it comes to keeping your systems safe, amping up the complexity of machine passwords does not suffice. Depending solely on password-based authentication, especially at the enterprise level, leaves the organizational network, data, and IT infrastructure fragile, possibly resulting in lateral movement, privilege escalation, data exfiltration, ransomware attacks, and other security consequences.

Two-factor authentication (2FA), which is a subset of multi-factor authentication (MFA), is a simple yet sturdy mechanism to thwart credential-based attacks. By enabling Windows two-factor authentication and multi-factor authentication for workstations and servers, organizations can avert a significant percentage of cyberattacks.

An enterprise-ready Windows two-factor authentication solution

ManageEngine ADSelfService Plus offers the ideal Windows login 2FA solution that's backed by robust authentication methods, risk-based access controls, and offline protection. Its comprehensive Windows MFA capabilities fortify all Windows endpoints, including workstations, servers, RDP, and UAC.

How to perform Windows 2FA via ADSelfService Plus

1. When 2FA for Windows login is configured, users logging in to their Windows machines must first verify their identities using their AD domain credentials.
2. Next, they complete the Windows login MFA process by authenticating with additional methods such as biometrics, TOTP, or SMS verification. Depending on the configuration, users may need to verify their identities through one or more authentication methods.
3. Finally, users are logged in to their Windows machines once they have successfully verified their identities using the configured authentication methods.

The solution supports both Windows local and RDP MFA, providing enhanced login security.

What are the methods supported for Windows 2FA?

ADSelfService Plus supports a comprehensive list of knowledge, possession, and inherence authentication methods for admins to design the Windows login MFA and 2FA flows appropriate to the target users. Here is the complete list of supported authenticators:

Click here to learn more about these authentication factors.

How to setup MFA for Windows logins

1. Log in to the ADSelfService Plus web console with admin credentials.
2. Navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
3. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for each set of users.
4. In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down menu.
5. Click Save Settings.

Effective integration with major OS versions for Windows MFA

ADSelfService Plus supports enabling MFA for Windows logins for the following OS versions:

Apart from Windows OS, the solution also supports 2FA for macOS and Linux OS.

Tailored Windows 2FA to fit any organization's needs

Admins can customize ADSelfService Plus' Windows login MFA feature to align with their organization's specific security, policy, and compliance requirements.

• Granular authentication controls: Enable specific authenticators for users in particular AD domains, groups, and OUs. Create granular Windows login 2FA flows appropriate to a user's job role, device policy, and preexisting authenticators.
• True MFA: Configure different numbers of authentication levels—with a maximum of three—for users based on their AD domains, OUs, and groups. Heighten or relax the authentication process based on a user's job role and privileges.
• Flexible enrollment policies: Enforce mandatory authentication factors for enhanced security or allow users to choose their desired authenticators from a preconfigured list.
• Trusted device exemption: Allow selected users to skip MFA for Windows logins when using a trusted device. A trusted device refers to a device that has been previously authenticated through the MFA process. This trust remains valid for a set period, after which reauthentication is necessary.

MFA for Windows RDP  

RDP access attempts are the most vulnerable, as remote connections to the organizational network may have exploitable security gaps. By enforcing MFA for RDP, ADSelfService Plus ensures that remote access is secured by advanced authentication methods. Moreover, the solution's Windows RDP 2FA process is twofold, safeguarding both RDP server authentication and RDP client authentication prompts from manipulator-in-the-middle, phishing, and credential-based attacks.

MFA for Windows UAC  

ADSelfService Plus also integrates MFA for Windows UAC elevation prompts. Any time a user or process attempts to perform an administrative action, a second authentication factor is required. This prevents privilege escalation by malicious insiders or malware posing as trusted applications.

Windows server MFA  

Enforcing Windows server MFA is crucial for protecting critical servers from unauthorized access. Windows servers often store sensitive data and run essential services, making them a gold mine for threat actors. By implementing Windows server 2FA with authentication methods like biometrics and one-time passwords, admins can ensure that even if credentials are compromised, attackers cannot gain access to their Windows Server instances. This feature is compatible with Windows Server 2008 and above.

Machine-centric Windows 2FA  

Machine-based 2FA is where the Windows login 2FA is triggered based on the device policy settings rather than individual user account settings. When this is enabled, all users logging in to a specific machine must verify their identities using 2FA. Admins can configure authentication methods for machine-based 2FA for Windows, selecting from a range of authenticators.

2FA for Windows offline logins  

ADSelfService Plus supports offline 2FA for Windows machines, ensuring secure logins even when users are remote, offline, or unable to connect to the product server. Administrators can configure multiple authentication methods for secure logins. To enable offline access, users must enroll in their chosen authentication factors while online. This offline Windows 2FA solution enhances security for remote workers, ensuring continuous protection even without internet connectivity.

Benefits of choosing ADSelfService Plus for Windows MFA

• Simple deployment: The intuitive admin web portal simplifies Windows MFA configuration and offers scheduler-based, automated MFA agent deployment across end-user devices. The MFA agent is automatically installed on devices new to the domain at a set time.
• Comprehensive configuration: MFA extends to macOS and Linux logins, VPNs, Outlook on the web, and major enterprise applications, ensuring an enterprise's attack surface is minimized as much as possible.
• Assured user enrollment: Bulk enrollment and mandated enrollment options are provided to ensure users' Windows machines and domain accounts are secured by 2FA.
• Real-time reporting: The built-in reporting feature offers audit-ready logs that track every authentication attempt across endpoints. These real-time insights help administrators monitor access patterns, detect anomalies, and ensure compliance with security policies.
• Compliance with regulations: The 2FA feature helps organizations meet industry mandates by enforcing strong, identity-based access controls. It aligns with standards like the GDPR, the PCI DSS, HIPAA, and the NIST CSF by minimizing the risk of unauthorized access to sensitive systems and data.