Security

Traditional password-based authentication and its cons

Users in any organization need to enter passwords during Active Directory domain logins and enterprise application logins. The main purpose of these passwords is to prohibit unauthorized access to sensitive data. However, having to maintain multiple passwords leads to users creating simple ones that are easy to crack. NordPass's Most Popular Passwords of 2019 list is a testament to this.

In addition to this, users tend to create and use credentials that have already been leaked in data breaches. A study by Microsoft has revealed that, in the first quarter of 2019, almost 44 million users employed usernames and passwords that had been leaked in data breaches. If attackers use the credentials obtained from data breaches to conduct more attacks, one can only imagine the number of accounts that can be misappropriated.

With so many issues in traditional username and password-based authentication, organizations need to implement techniques that harden account security. One such technique is multi-factor authentication (MFA).

When MFA is enabled, additional layers of authentication are added. Thus, even if an attacker does lay their hands on a user's password, the other authentication methods hinder their attempt to hack the account.

ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution offers this capability. The solution supports over 15 MFA methods, including TOTP, Google Authenticator, fingerprint authentication, security questions and answers, and YubiKey Authenticator. MFA is used to validate user identity during local and remote desktop logons to Windows, macOS, Linux endpoints and cloud applications, and self-service actions using ADSelfService Plus.

Benefits of MFA with ADSelfService Plus:

1. Admins can create self-service policies, assign specific OUs and groups to these policies, and configure different combinations of authentication methods for these policies. Only users under these OUs and groups will be asked to authenticate using the configured methods during MFA.
2. Admins can specify the number of authentications users must complete to verify their identity.
3. Admins can enforce any of the authentication methods as mandatory.

Other features offered by ADSelfService Plus that help protect secure domain user accounts are:

• Password Policy Enforcer: This feature allows admin to create custom password policies that consist of rules that will enforce the creation of strong, complex passwords during Active Directory password changes and self-service password resets. With this feature, admins have the option of creating different policies for different sets of users and have the option of enabling the policy requirement display that displays the rules that have been configured to guide users while they create passwords.
• Conditional access: The feature implements a set of rules that analyze various risk factors, such as IP address, time of access, device, and the user's geolocation, to enforce automated access control decisions. The decisions are implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This ensures an enhanced user experience without affecting security.
• Have I Been Pwned? integration: This is a service that warns users if the password they have created has been breached before. ADSelfService Plus offers an integration with Have I Been Pwned? that alerts domain users when the passwords they create during any of the below actions have been breached:
  • Self-service password reset using ADSelfService Plus.
  • Password change using the Ctrl+Alt+Del option.
  • Password reset using the Active Directory Users and Computers console.

Learn more about ADSelfService Plus.