Multi-factor Authentication:

ADSelfService Plus employs multiple authentication methods to verify users’ identities when they:

1. Choose to self-reset passwords and unlock accounts
2. Log into their Windows workstations
3. Log into ADSelfService Plus portal

The supported authentication methods include:

1. Security Questions and Answers
2. Email Verification
3. SMS Verification
4. Google Authenticator
5. Duo Security
6. RSA SecurID
7. RADIUS Authentication
8. Push Notification Authentication
9. Fingerprint Authentication
10. QR Code-Based Authentication
11. TOTP Authentication
12. SAML Authentication
13. AD Security Questions
14. Microsoft Authenticator
15. Yubikey Authenticator

You can enable any number of authentication methods from the list above, and configure which authentication methods are to be used for what password self-service operation.

Enabling the required authentication methods

1. Navigate to Configuration → Self-Service → Multi-factor Authentication.
2. From Choose the Policy dropdown, select a policy.

Note:

• You can configure different authentication methods for different policies. For example, you can configure Security Questions & Answers, Google Authenticator, and Duo Security for Policy 1, and SAML Authentication for Policy 2.
• You can have two or more configurations of the same authentication method for different policies. For example, you can enable three Security Questions for Policy 1 and five Security Questions for Policy 2.
3. Click the Configuration tab.
4. Now, click on the authentication methods that you want to enable and configure them.
5. Click Save.
6. Repeat steps 4 and 5 for other authentication methods that you want to enable.

Forcing users to enroll for certain authentication methods

Prerequisite: Make sure that you’ve enabled the required authentication methods.

1. Navigate to Configuration → Self-Service → Multi-factor Authentication.
2. From Choose the Policy dropdown, select a policy.
3. Click the Authenticator Settings tab
4. Under Enrollment Settings, select Enforce these authenticators during enrollment.
5. From the dropdown, select the authentication methods that you want to enforce during enrollment.
6. Select Hide Enrollment tab from end users port for enrolled users, if you want to hide the enrollment tab from enrolled users so that they don’t modify their enrollment data.
7. Click Save Settings.

Configuring multi-factor authentication for the password reset/account unlock operation

Prerequisite: Make sure that you’ve enabled the required authentication methods.

1. Navigate to Configuration → Self-Service → Multi-factor Authentication.
2. From Choose the Policy dropdown, select a policy.
3. Click the Authenticator Settings tab
4. Under MFA for Reset/Unlock, select the number of authentication methods you want to enable for the self-reset password and unlock account operations from the dropdown. For example, if you want to users to go through two steps of verification to prove their identity, then select 2 from the dropdown.
5. Select the authentication methods that users can choose from using the Configure authenticators for reset/unlockdropdown.
6. To make an authentication method mandatory, hover the mouse over the authentication method in the dropdown and click the * icon. Note:Users will be automatically forced to enroll for all the authentication methods that are marked as mandatory during enrollment.
7. Click Save Settings.

Important points to remember:

• You can enable 2 verification steps (step 4), but configure 3 or 4 authentication methods (step 5).
• In such a case, users will have the freedom to choose any 2 authentication method from the configured 4 methods to prove their identity.
• If you enable 2 verification steps and configure 4 authentication methods, but want to enforce SMS Verification as one of the steps, then mark SMS Verification as mandatory.
• In this case users will have to go through the SMS Verification first, and then can select any one of the remaining three authentication methods.

Configuring two-factor authentication for ADSelfService Plus login

Prerequisite:

• Make sure that you’ve enabled the required authentication methods.
• Make sure that you’ve configured a self-service policy that includes all the users to whom you want to enable two-factor authentication for ADSelfService Plus login.

1. Navigate to Configuration → Self-Service → Multi-factor Authentication.
2. From Choose the Policy dropdown, select a policy.
3. Click the Authenticator Settings tab
4. Under the TFA for ADSelfService Plus login section, put a check against the Enable authenticators for ADSelfService Plus login box.
5. From the dropdown, select the authentication methods. Note:
   • You have to choose at least one authentication method.
   • If you’ve chosen more than one authentication method, then users will have the freedom to select any one method and prove their identity during login.
   • For example, if you’ve selected both SMS Verification and Google Authenticator, then users will get an option to choose one method and provide their identity.
6. If you want to disable two-factor authentication when users authenticate against ADSelfService Plus for SSO to enterprise applications, put a check against the Disable TFA for SSO-enabled enterprise applications box.
7. Click Save Settings.

Configuring two-factor authentication for Windows/macOS login

Prerequisite:

Make sure that you’ve:

• Enabled HTTPS and applied a valid SSL certificate in ADSelfService Plus.
• Enabled the required authentication methods.
• Configured a self-service policy that includes all the users to whom you want to enable two-factor authentication for Windows/macOS login.

1. Navigate to Configuration → Self-Service → Multi-factor Authentication.
2. From Choose the Policy dropdown, select a policy.
3. Click the Authenticator Settings tab
4. Under the TFA for Windows/macOS login section, put a check against the Enable authenticators for Windows/macOS login box.
5. From the dropdown, select the authentication methods. Note:
   • You have to choose at least one authentication method.
   • If you’ve chosen more than one authentication method, then users will have the freedom to select any one method and prove their identity during login.
   • For example, if you’ve selected both SMS Verification and Google Authenticator, then users will get an option to choose one method and provide their identity.
6. Click the Access URL link and enter the necessary details.
7. If you want to let users bypass two-factor authentication when ADSelfService Plus is down, put a check against the Bypass TFA if ADSelfService Plus is down box.
8. Click Save Settings.