Multi-factor authentication (MFA) helps reduce the attack surface and protects your business by requiring a higher level of identity assurance. It can be enabled for all users, and all systems—both cloud and on-premises applications and endpoints—in your network. You can leverage ManageEngine ADSelfService Plus to effectively and effortlessly deploy MFA in your organization and protect your business.
Enable users to perform self-service password reset (SSPR), and self-service account unlock only after they prove their identity via the enforced authenticators
Regulate enterprise application access via single sign-on (SSO) with advanced authenticators including biometrics, or RSA SecurID.
Secure local and remote access to Windows, macOS, and Linux OS with MFA.
ADSelfService Plus enables IT administrators to trigger a preconfigured authentication workflow once a user initiates a password self-service, SSO, or endpoint login. Using this workflow, IT admins can enforce different authenticators for different sets of users, based on their OU, domain, and group memberships.
ADSelfService Plus secures both local and remote login attempts to servers and workstations.
With MFA, ADSelfService Plus tackles all credential-based cyberattacks, including brute force, password spray, and dictionary attacks.
ADSelfService Plus meet NIST SP 800-63B, NYCRR, FFIEC, GDPR, and HIPAA compliance mandates.
Users enroll in ADSelfService Plus by answering several user-specific questions; the answers are then stored securely in the ADSelfService Plus database after encryption. To reset their password or unlock their account, the users are required to prove their identity by answering the questions previously provided. IT admins can further strengthen identity verification with options to prevent users from using the same answers to multiple questions, or any word from the questions, and other parameters.
When users attempt to reset their passwords or unlock their accounts, a verification code is sent to their mobile number or email address. IT admins also have the option to send a secure link via email that enables the user to reset their password, or to specify the number of invalid attempts a user can enter before they are temporarily blocked from logging in. To send the password reset link, IT admins can configure ADSelfService Plus to acquire the mobile number and email address information from the corresponding Lightweight Directory Access Protocol (LDAP) attributes in Active Directory (AD).
ADSelfService Plus supports Google Authenticator, a widely-used, third-party authentication application for mobile phones. Users enroll with ADSelfService Plus by scanning a QR code. When performing any self-service operation, users are required to open the app and enter the code displayed in Google Authenticator to prove their identity.
ADSelfService Plus supports Microsoft Authenticator, a widely-used, third-party authentication application for mobile phones. Once users are enrolled in ADSelfService Plus, they can prove their identity during password self-service actions and endpoint logins by entering the code displayed in Microsoft Authenticator.
ADSelfService Plus supports YubiKey, an authentication device that identifies itself as a keyboard, and delivers a one-time password. Once enrolled, users can use the YubiKey device to prove their identity during password self-service actions and endpoint logins.
ADSelfService Plus supports Duo Security for MFA. Users are first required to enroll with Duo Security. When this authentication technique is enabled and users attempt to reset passwords or unlock accounts, they are required to select a mode of communication (push notification, SMS, or call) through which Duo Security sends a verification code. Upon successful verification, users can employ password self-service to manage their password and accounts.
ADSelfService Plus can be integrated with RSA SecurID to provide protected authentication for users trying to access a network resource. When resetting a password or unlocking an account, users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received by email, or SMS to log in to ADSelfService Plus.
ADSelfService Plus enables IT admins to add RADIUS as an additional resource for user authentication. Users are required to provide their RADIUS passwords to authenticate themselves. Once their accounts are verified, users can perform self-service operations, or advance to the next authentication factor as required by the protocol.
This is one of the easiest and quickest methods of authentication. With push notifications enabled, users will receive a login request sent fromADSelfService Plus to their registered mobile device. They can either approve the authentication request, or reject it if they did not initiate the request. Once enrolled, users can also reset their password, or unlock their account from their mobile app using push notifications.
A person's fingerprints are unique, and fingerprint authentication is one of the easiest, yet most secure authentication methods. If a user's registered mobile device has a fingerprint sensor, they can use their fingerprint to authenticate password resets, and account unlocks from the ADSelfService Plus mobile app.
The ADSelfService Plus mobile app is all that users need to use QR codes for authentication. Users can simply scan the QR code displayed on their ADSelfService Plus web portal from their registered mobile device to complete the process.
One of the most commonly used methods of authentication is TOTP. ADSelfService Plus' mobile app generates TOTPs that change every minute. Users are required to enter the 6-digit passcode during the authentication process within a minute to complete their identity verification.
ADSelfService Plus enables IT admins to establish Active Directory-based security questions as one of the MFA methods to verify user identity during a self-service password reset. When this method is enabled, the security questions are linked to an Active Directory attribute, and users are successfully authenticated when their answers match that specific attribute's value. For example, assume that the IT admin has selected "What is your social security number?" as an AD-based security question. Whenever the user attempts a password reset, they're required to enter their social security number as an answer, the specified value of the custom attribute. If entered incorrectly, the password reset operation is canceled. Since this technique utilizes the users' Active Directory attributes, they need not enroll with ADSelfService Plus separately.