- Free Edition
- Quick Links
- Multi-factor authentication
- Active Directory MFA
- Endpoint MFA
- Windows login MFA
- Two-factor authentication
- Conditional access
- Offline MFA
- FIDO2 MFA
- Passwordless authentication
- MFA for VPN logons
- MFA for OWA logons
- MFA for Microsoft 365 users
- MFA for UAC
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for Windows servers
- MFA for RDP
- Device-based MFA
- MFA for cloud apps
- Phishing-resistant MFA
- Adaptive MFA
- Password management
- Self-service password reset
- Self-service account unlock
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Web-based domain password change
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Password management and security
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is FIDO2 authentication?
FIDO2 authentication is an open authentication standard developed by the Fast Identity Online (FIDO) Alliance, an industry consortium that aims to reduce reliance on passwords and improve the overall security of online authentication.
FIDO2 utilizes public key cryptography and ensures interoperability with various vendors' hardware, mobile authenticators, and biometric authentication methods, including facial recognition, on diverse browsers and operating systems. This enables passwordless authentication, facilitating smoother logins to numerous web services.
Passwordless and phishing-resistant MFA with FIDO2
FIDO2 eliminates passwords and replaces them with native authentication mechanisms on users' devices, like Windows Hello and Apple TouchID, and portable security keys.
Alongside its ability to eliminate passwords, FIDO2 is recognized for its robust security standing, and here's why: All communication between the parties involved in FIDO2 authentication is done using public key cryptography. That is, instead of communicating the actual user-entered authentication secret—such as a PIN, an OTP, or biometric information—to the authentication server, a mathematically generated key corresponding to the secret is communicated. Simply put, user credentials are not shared between services. So, even if one service is compromised, the credentials cannot be used to access other services, making FIDO2 authentication resistant to phishing, replay, and manipulator-in-the-middle (MITM) attacks.
FIDO2 authentication is a secure, user-friendly, cost-effective, and more resilient substitute for traditional password-based authentication systems.
Implementing FIDO2 authentication using ADSelfService Plus
ManageEngine ADSelfService Plus supports FIDO2 authentication to secure access to cloud applications, OWA logins, and more. Using the WebAuthn API, ADSelfService Plus provides secure and customizable FIDO2 authentication, supporting both platform and roaming FIDO2 authenticators.
Customizable configuration
Configure your preferred username pattern.
Choose whether you want users to enroll using platform FIDO2 authenticators, roaming FIDO2 authenticators, or both.
Choose how many credentials users are allowed to enroll for FIDO2 authentication.
Comprehensive reports
Generate comprehensive reports on users' FIDO2 enrollment status.
Instantly disenroll FIDO2 credentials for users upon detecting suspicious activities.
Employ filters to effortlessly locate specific users within a large pool of records.
Easy enrollment
Provide a simple, user-friendly console for hassle-free FIDO2 enrollment and authentication for your users.
FIDO2 authentication methods supported by ADSelfService Plus
ADSelfService Plus supports both platform and roaming FIDO2 authentication methods. Platform authenticators are those that are native to a computer or mobile device, and roaming authenticators are those that are portable and can be used for identity verification on any device. The following are the FIDO2 authentication methods that ADSelfService Plus supports:
- Platform authenticators: Built-in authenticators native to the device and controlled by the operating system, such as Windows Hello, Apple TouchID, and Android Biometrics.
- Roaming authenticators: FIDO2- and U2F-compliant security keys like YubiKey and Google Titan.
Benefits of FIDO2 authentication with ADSelfService Plus
- No more passwords
FIDO2 securely eliminates passwords from the authentication equation and replaces them with native device authentication mechanisms.
- No sharing of user secrets
User secrets are translated into encrypted keys using public key cryptography and are not exposed to the network.
- Phishing resistance
Phishing, replay, and MITM attacks are repelled since attackers cannot obtain user credentials over the network.
- Support for multiple credentials
Using ADSelfService Plus, users can enroll up to three FIDO2 credentials corresponding to different devices and platforms.
- Customizable FIDO2 authentication
ADSelfService Plus provides customizable configuration controls for FIDO2, offering both single- and two-factor authentication options to protect sensitive resources.
- Compliance with regulatory standards
Deploying FIDO2 authentication with ADSelfService Plus ensures compliance with regulatory standards such as the NIST Cybersecurity Framework, HIPAA, the PCI DSS, and the PSD2.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
