With one in three data breaches attributed to stolen credentials, multi-factor authentication (MFA) has rightfully become a focal point for many IT organizations. Most employees succumb to the pressure of managing multiple passwords and resort to reusing or creating weak passwords, making them an easy target for cybercriminals. Enabling ADSelfService Plus' endpoint MFA capabilities adds a second factor to authenticate user identity and authorize access to sensitive IT resources.
Employees' desktops and laptops, besides storing confidential data and cached credentials, can also serve as an entry point for a cyberattack. Without system-based MFA, cybercriminals could leverage a compromised user account to access the user's machine and connected IT systems.
When ADSelfService Plus' MFA for macOS is enforced, users will be required to authenticate their identity via two factors before they can access their machine. The first factor is generally the user’s Active Directory (AD) credentials, and the second factor is often customized security questions or a one-time passcode via email or SMS.
ADSelfService Plus also supports a second factor of authentication for local and remote Windows logons.
System-based MFA safeguards sensitive data even in cases where passwords are compromised. That is, if a cybercriminal steals a user’s password via a credential-based attack or data-hoarding site, they still need access to the user's phone or email to advance to the second authentication factor.
SMS and email-based verification codes, as well as the authentication codes from Duo Security and RSA SecurID, are unique. These codes can only be used once and will expire if they aren't entered within a certain period.