Allowing end users to reset their passwords or unlock their own accounts poses security risks. It is not uncommon for an attacker to masquerade as a valid user to steal credentials. To ensure that only the intended users access the self-service portal, ADSelfService Plus employs the following stringent authentication methods to establish users’ identities:
Administrators have the flexibility to choose all authentication procedures or a combination of the available methods based on their needs.
Users enroll with ADSelfService Plus by answering a series of personal questions; the answers are then stored securely in the ADSelfService Plus database after encryption. To reset their passwords or to unlock their accounts, users are required to verify their identity by answering the questions they previously responded to.
Administrators can further strengthen identity verification by adding additional restrictions to the questions and answers.
When a user attempts to reset their password or unlock their account, a verification code is sent to their mobile device or email address. Administrators can also send a secure link via email which the user can use to reset their password. Administrators can configure the number of times a user can enter invalid credentials before they are temporarily blocked from logging in.
Note: Administrators can configure ADSelfService Plus to pull the mobile device and email address from the corresponding LDAP attributes in Active Directory.
ADSelfService Plus supports Google Authenticator, a widely-used, third-party authentication application for mobile phones. Users enroll with ADSelfService Plus by scanning a QR code. When performing any self-service operation, the user is required to open the app and enter the code displayed in Google Authenticator to verify their identity.
In addition to Google Authenticator, administrators can use other third-party, time-based authenticators such as Microsoft Authenticator or Sophos Authenticator.
Multi-factor authentication in ADSelfService Plus supports Duo Security, a widely-trusted access platform that secures organizations by verifying the identities of users. Users are required to enroll with Duo Security. When this authentication procedure is enabled and users attempt to reset passwords or unlock accounts, they are required to select a mode of communication (push notification, SMS, or call) through which Duo Security sends a verification code. Upon successful verification, users can self-service their passwords and accounts.
ADSelfService Plus can be integrated with RSA SecurID to provide secure authentication for users trying to access a network resource. When resetting a password or unlocking an account, users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received by email or SMS to log in to ADSelfService Plus.
ADSelfService Plus allows administrators to add RADIUS as an additional avenue for user authentication. After administrators enable RADIUS, users are required to provide their RADIUS passwords to authenticate themselves. Once the account is verified, the user can then proceed with performing the self-service operation or move on to the next authentication procedure as required by protocol.
In order to prevent malicious users from taking multiple guesses at the answers, administrators can set up a temporary block for any account that racks up a specified number of wrong answers within a certain amount of time.
The identity verification process starts when the user accesses the ADSelfService Plus application and clicks on the "Reset Password" or "Unlock Account" link. After the user enters their username and the domain, the ADSelfService Plus server performs a series of security checks.
Domain affiliation check: Checks if the user is affiliated with the specified domain.
Policy settings check: Checks if the user has permission to reset their password or unlock their account through ADSelfService Plus. ADSelfService Plus policies can be configured so that end users only have access to certain self-service features.
Enrollment status check: Checks if the user has enrolled with ADSelfService Plus by answering the security questions, updating their mobile number or email address, and synchronizing their Google Authenticator account. Only enrolled users are allowed to reset passwords and unlock accounts.
Blocked users check: Checks if the user account is blocked by the ADSelfService Plus server from performing self-service actions due to multiple invalid actions. Users who fail to enter the correct verification code and/or answer(s) to the security question(s) will be blocked by the application after a certain number of attempts as set by the ADSelfService Plus administrator. This helps prevent Bot-based attacks, denial-of-service attacks, and other types of attacks.
Once the preliminary checks are complete, ADSelfService Plus verifies the user's identity by running the authentication procedures configured by the administrator.
Added layer of security: The widely used question-and-answer security method, employed in social media, has become flawed because users supply questions and answers that are easy for hackers to find. By adding verification codes and Google Authenticator to the identity verification process, ADSelfService Plus has made accounts more secure.
User friendly: Easy access to email and mobile phones has made those devices a simpler option for users to manage their accounts on the go.
Power to the administrator: Administrators have complete control over whether to choose any one or all of the authentication modes for added security.
Email notification upon password self-service: Whenever a user completes a self-service action, they'll receive an email notification from ADSelfService Plus. The email notification acts as an alert in case of unauthorized account activity and allows the user to react and prevent further damage.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.