Multi-factor Authentication:
ADSelfService Plus employs multiple authentication methods to verify users’ identities when they:
- Choose to self-reset passwords and unlock accounts
- Log into their Windows workstations
- Log into ADSelfService Plus portal
The supported authentication methods include:
- Security Questions and Answers
- Email Verification
- SMS Verification
- Google Authenticator
- Duo Security
- RSA SecurID
- RADIUS Authentication
- Push Notification Authentication
- Fingerprint Authentication
- QR Code-Based Authentication
- TOTP Authentication
- SAML Authentication
- AD Security Questions
- Microsoft Authenticator
- Yubikey Authenticator
You can enable any number of authentication methods from the list above, and configure which authentication methods are to be used for what password self-service operation.
Enabling the required authentication methods
- Navigate to Configuration → Self-Service → Multi-factor Authentication.
- From Choose the Policy dropdown, select a policy.
Note:
- You can configure different authentication methods for different policies. For example, you can configure Security Questions & Answers, Google Authenticator, and Duo Security for Policy 1, and SAML Authentication for Policy 2.
- You can have two or more configurations of the same authentication method for different policies. For example, you can enable three Security Questions for Policy 1 and five Security Questions for Policy 2.
- Click the Configuration tab.
- Now, click on the authentication methods that you want to enable and configure them.
- Click Save.
- Repeat steps 4 and 5 for other authentication methods that you want to enable.
Forcing users to enroll for certain authentication methods
Prerequisite: Make sure that you’ve enabled the required authentication methods.
- Navigate to Configuration → Self-Service → Multi-factor Authentication.
- From Choose the Policy dropdown, select a policy.
- Click the Authenticator Settings tab
- Under Enrollment Settings, select Enforce these authenticators during enrollment.
- From the dropdown, select the authentication methods that you want to enforce during enrollment.
- Select Hide Enrollment tab from end users port for enrolled users, if you want to hide the enrollment tab from enrolled users so that they don’t modify their enrollment data.
- Click Save Settings.
Configuring multi-factor authentication for the password reset/account unlock operation
Prerequisite: Make sure that you’ve enabled the required authentication methods.
- Navigate to Configuration → Self-Service → Multi-factor Authentication.
- From Choose the Policy dropdown, select a policy.
- Click the Authenticator Settings tab
- Under MFA for Reset/Unlock, select the number of authentication methods you want to enable for the self-reset password and unlock account operations from the dropdown. For example, if you want to users to go through two steps of verification to prove their identity, then select 2 from the dropdown.
- Select the authentication methods that users can choose from using the Configure authenticators for reset/unlockdropdown.
- To make an authentication method mandatory, hover the mouse over the authentication method in the dropdown and click the * icon.
Note:Users will be automatically forced to enroll for all the authentication methods that are marked as mandatory during enrollment.
- Click Save Settings.
Important points to remember:
- You can enable 2 verification steps (step 4), but configure 3 or 4 authentication methods (step 5).
- In such a case, users will have the freedom to choose any 2 authentication method from the configured 4 methods to prove their identity.
- If you enable 2 verification steps and configure 4 authentication methods, but want to enforce SMS Verification as one of the steps, then mark SMS Verification as mandatory.
- In this case users will have to go through the SMS Verification first, and then can select any one of the remaining three authentication methods.
Configuring two-factor authentication for ADSelfService Plus login
Prerequisite:
- Make sure that you’ve enabled the required authentication methods.
- Make sure that you’ve configured a self-service policy that includes all the users to whom you want to enable two-factor authentication for ADSelfService Plus login.
- Navigate to Configuration → Self-Service → Multi-factor Authentication.
- From Choose the Policy dropdown, select a policy.
- Click the Authenticator Settings tab
- Under the TFA for ADSelfService Plus login section, put a check against the Enable authenticators for ADSelfService Plus login box.
- From the dropdown, select the authentication methods.
Note:
- You have to choose at least one authentication method.
- If you’ve chosen more than one authentication method, then users will have the freedom to select any one method and prove their identity during login.
- For example, if you’ve selected both SMS Verification and Google Authenticator, then users will get an option to choose one method and provide their identity.
- If you want to disable two-factor authentication when users authenticate against ADSelfService Plus for SSO to enterprise applications, put a check against the Disable TFA for SSO-enabled enterprise applications box.
- Click Save Settings.
Configuring two-factor authentication for Windows/macOS login
Prerequisite:
Make sure that you’ve:
- Enabled HTTPS and applied a valid SSL certificate in ADSelfService Plus.
- Enabled the required authentication methods.
- Configured a self-service policy that includes all the users to whom you want to enable two-factor authentication for Windows/macOS login.
- Navigate to Configuration → Self-Service → Multi-factor Authentication.
- From Choose the Policy dropdown, select a policy.
- Click the Authenticator Settings tab
- Under the TFA for Windows/macOS login section, put a check against the Enable authenticators for Windows/macOS login box.
- From the dropdown, select the authentication methods.
Note:
- You have to choose at least one authentication method.
- If you’ve chosen more than one authentication method, then users will have the freedom to select any one method and prove their identity during login.
- For example, if you’ve selected both SMS Verification and Google Authenticator, then users will get an option to choose one method and provide their identity.
- Click the Access URL link and enter the necessary details.
- If you want to let users bypass two-factor authentication when ADSelfService Plus is down, put a check against the Bypass TFA if ADSelfService Plus is down box.
- Click Save Settings.
Copyright © 2019,
ZOHO Corp. All Rights Reserved.