Enabling this technique enables you to set up AD-based security questions as the MFA criteria, and verify answers from the attribute value available in AD.
For example, assume that you have set ‘What is your social security number?’as an AD-based security question, and linked a custom based attribute of the user as the answer. Now when a user attempts a password reset, they are required to enter the correct answer (i.e., user's social security number). If the answer entered by the user matches the value of the original AD attribute (i.e., the value of the custom attribute), the user is successfully authenticated.
As this MFA technique utilizes the users' AD attributes, they need not enroll with ADSelfService Plus separately. This is a definite plus for admins who will be free from the burden of ensuring that every user has completed the enrollment process.
Make sure that the AD attributes mapped to the security questions are not readable through a LDAP browser or other tools.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
Copyright © 2020, ZOHO Corp. All Rights Reserved.