- Free Edition
- Quick Links
- MFA
- Self-Service Password Management
- Single Sign-On
- Password Synchronizer
- Password Policy Enforcer
- Employee Self-Service
- Reporting and auditing
- Integrations
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is RSA two-factor authentication and how it works
RSA multi-factor authentication or two-factor authentication adds an extra layer of identity verification using something you know, which is the passcode, and something you have, which is the RSA token. During login, users enter their Active Directory credentials, followed by a time-based RSA SecurID token code generated from a hardware token or RSA SecurID app.
This RSA authentication process ensures that even if passwords are compromised, unauthorized access is still blocked, preventing common password-based attacks such as brute-force attempts, credential stuffing, phishing, and replay attacks.
Secure multiple access points with a comprehensive RSA MFA solution
ADSelfService Plus makes it easy to integrate RSA SecurID MFA with Active Directory without modifying your existing infrastructure. Once enabled, it can secure multiple endpoints, including MFA for domain-joined machines, MFA for Remote Desktop and RD Gateway sessions, MFA for VPN access for remote users, and MFA for web applications and single sign-on (SSO). This ensures that RSA authentication is consistently enforced across critical access points, providing robust protection while maintaining a seamless user experience.
Supported RSA SecurID MFA methods
ADSelfService Plus supports multiple RSA SecurID MFA methods:
- RSA hardware tokens use key fobs that generate rotating codes.
- RSA SecurID App uses mobile and desktop-based OTP generators.
- Email and SMS-based RSA SecurID passcodes.
How RSA SecurID MFA flow works
When RSA SecurID MFA is enabled for Active Directory logins, the authentication flow happens as follows:
- The user initiates the login. This could be a machine login, VPN access, RDP session, or SSO for enterprise app.
- The user enters their Active Directory username and password.
- ADSelfService Plus forwards the authentication request to RSA Authentication Manager.
- The user is prompted for RSA SecurID verification based on the configured method:
- OTP from the RSA hardware token
- OTP from RSA SecurID mobile app
- Email or SMS generated passcode
- RSA Authentication Manager validates the code response.
- If successful, ADSelfService Plus grants access to the user and completes the AD authentication flow.
This RSA authentication process ensures that password theft or credential reuse attacks fail, since access is only granted when the AD password and the RSA token are verified together.
How to enable RSA MFA for Active Directory
You can deploy RSA MFA for Active Directory in just a few steps:
- Setup RSA SecurID with the method appropriate to your organization.
- Connect ADSelfService Plus with your RSA Authentication Manager.
- Enable RSA MFA policies to the target end user group.
- Apply MFA to the required endpoint.
Advanced RSA SecurID MFA controls
ADSelfService Plus enhances RSA SecurID MFA with enterprise-grade flexibility:
- Granular enforcement: Apply RSA authentication by user, OU, group, or machine.
- Conditional access: Enforce MFA only when risky conditions are met—untrusted IPs, off-hours logins, unknown devices, or unknown locations.
- More than 2FA: Combine RSA tokens or push with biometrics, FIDO2 passkeys, and other authenticator apps.
- Enrollment methods: Perform individual enrollment via a login script and forced enrollment prompt as well as bulk enrollment via CSV files and databases with user information
- Auditing and reports: Log every RSA authentication event for compliance tracking and forensics.
This makes RSA SecurID in ADSelfService Plus not just MFA—but fully controlled, auditable, and adaptable authentication.
Why Choose RSA SecurID for Active Directory MFA
Organizations trust RSA SecurID MFA using ADSelfService Plus to secure Active Directory endpoints because it delivers:
- Comprehensive support: RSA SecurID can be implemented in both legacy and modern systems.
- Diverse MFA: Enterprise endpoints can be secured seamlessly with hardware tokens and software tokens.
- Easy integration: RSA SecurID MFA can be configured for Active Directory without modifying the existing infrastructure.
- Compliance ready: RSA SecurID MFA is compliant with HIPAA, the PCI DSS, and the GDPR frameworks.
This combination of security, flexibility, and reliability makes RSA SecurID the preferred choice for Active Directory MFA.
