Google Authenticator

    When Google Authenticator verification is enabled, users can enter a six-digit security code generated by the Google Authenticator app to prove their identity during MFA.

    How it works

    The Google Authenticator app on users' Android or iOS devices generates a new six-digit code every 30 seconds, which users are prompted for during MFA.

    Prerequisite: Configuration can be done only via ADSelfService Plus' default admin account or a product technician account with Super Admin privileges.

    Configuration steps

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy drop-down, select a policy.
      Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
    3. Click the Google Authenticator section.
    4. Select a Username Pattern. This step is essential for creating globally unique identifiers in multi-domain environments. Without explicit domain differentiation, users with identical names across domains will experience enrollment and authentication conflicts.
    5. Click Save to enable the authenticator.

    Google authenticator in ADSelfServicePlus

    Authenticator management

    After configuration, you can modify the Username Pattern by clicking Modify, or disable the authenticator at any time by clicking Modify > Remove Configuration.

    Modifying google authenticator in ADSelfServicePlus

    Deploying Google Authenticator for MFA

    Once the authenticator is configured, you can deploy it as an MFA method to secure sensitive actions like password resets and unlocks, protected endpoints, and logging into ADSelfService Plus.

    Setting up user enrollment

    The last step is setting up the process for users to enroll for Google Authenticator and utilize it for identity verification.

    Administrators can choose from the following enrollment methods:

    • User self-enrollment: Users scan a QR code displayed in the ADSelfService Plus portal
    • Bulk enrollment: Administrators can streamline deployment for multiple users
    • Manual configuration: Users can manually enter the provided secret key

    You can learn about the various enrollment options available in ADSelfService Plus, here.

    Tips

    • Google Authenticator can be used for offline MFA, as it is secure and reliable even without network connectivity.
    • You can see how the enrollment settings you configure will be presented to your users, here.