Authentication

Configuring fingerprint authentication for Active Directory password resets and logins

Fingerprint authentication is an identity verification method that is widely used in recent times. The fact that everyone has a unique fingerprint makes it one of the more secure methods of authentication. Fingerprint authentication is also simple and quick. Users simply need to scan their fingerprints in order to authenticate themselves. This is why, in recent times, fingerprint scanners have been introduced in smartphones and fingerprint authentication is used for identity verification in applications.

With all the advantages that fingerprint authentication has to offer, it only makes sense to use it as a multi-factor authentication (MFA) method during Active Directory domain logins in an organization. Self-service Active Directory password resets and account unlocks are other actions that can benefit from fingerprint authentication for identity verification. Breaching into even a single domain account can lead to misappropriation of a large amount of data and even put the entire domain network at risk if the account has high privileges. Implementing fingerprint authentication as an additional step can help prevent such issues.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers MFA using fingerprint authentication and any of the 15 other supported methods including Google Authenticator, YubiKey Authenticator, RSA SecurID, and QR code. ADSelfService Plus uses MFA to secure:

1. Windows, macOS, and Linux logins.
2. Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screen.
3. Enterprise application logins through single sign-on (SSO).
4. Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.

Fingerprint Authentication for MFA can be enabled with minimal steps in ADSelfService Plus

1. Download and install ADSelfService Plus.
2. Configure the domains.
3. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
4. From the Choose the Policy drop-down, select a policy.

   Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected.

5. Click the Fingerprint Authentication section.
6. Select Enable Fingerprint Authentication.

Enable fingerprint authentication for Active Directory password resets

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select Fingerprint Authentication along with the other authentication techniques to be used.
2. Click Save Settings.

Enable fingerprint authentication for Active Directory domain logins

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the Endpoint MFA section, select Push Fingerprint Authentication from the drop-down.
2. Enable the Bypass TFA if ADSelfService Plus is down option.
3. Click Save Settings.

Note:

To enable MFA for Active Directory domain logins:

• The ADSelfService Plus login agent must be installed on client machines. Click here for steps on login agent installation.
• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option.

Learn more about ADSelfService Plus and its Multi-factor Authentication feature.