Multi-factor authentication for cloud apps

The proliferation of cloud applications has attracted unwanted attention from hackers who are now focusing their efforts on data in the cloud. Hackers can easily trick someone with a valid username and password into disclosing their credentials through a phishing attack. The traditional way of authenticating users through usernames and passwords just isn’t cutting it anymore.

MFA is a technique that enforces additional factors aside from usernames and passwords to fortify authentication for Active Directory, cloud applications, and more. Besides MFA, cloud applications can also be secured using custom password policies with advanced password security techniques. Learn more about these policies.

Securing cloud logins using ADSelfService Plus

ADSelfService Plus, an Active Directory self-service password management and single sign-on (SSO) solution, protects access to cloud applications with MFA. By enabling SSO between ADSelfService Plus and SAML 2.0-enabled cloud applications like Google Workspace and Salesforce, you can easily secure users’ identities in the cloud.

When SSO is enabled, users must always authenticate themselves in ADSelfService Plus—first using their username and password and then through MFA authenticators chosen by you. Only then will users be able to access cloud applications. MFA for cloud applications ensures that even when hackers compromise a user's credentials, they cannot gain access to the cloud application and its data. ADSelfService Plus supports MFA for logins initiated by both identity providers (IdPs) and service providers (SPs).

How it works

During IdP-initiated logins

• During IdP-initiated SSO, users first log in to the ADSelfService Plus portal using their Windows Active Directory domain credentials to prove their identity before they can access cloud applications.
• Next, users must authenticate themselves through the alternative authentication methods configured by you.
• Once successfully logged in, users can access cloud applications from the Applications tab. All they need to do is click on an application's icon to open it in a new tab. Best of all, the user is automatically logged in to the application.

During SP-initiated logins

• During SP-initiated SSO, users first access the cloud application by entering its URL directly in a browser. The cloud application then redirects the user to the ADSelfService Plus login page for authentication.
• Users will need to enter their Active Directory domain credentials to prove their identity.
• Next, users must authenticate themselves through the alternative authentication methods configured.
• The user is now directly logged in to the SSO-enabled cloud application.

A comprehensive set of authentication factors

ADSelfService Plus supports the following methods to secure cloud applications using MFA:

Benefits of MFA for cloud applications using ADSelfService Plus

• Policy-based security for cloud applications: Apply different authentication factors for different users and even control access to cloud apps by configuring OU- and group-based policies.
• Risk-based automated access control: Automatically enforce specific authenticators or change the number of authenticators based on risk factors such as IP address, time of access, device, and geolocation.
• Regulatory compliance: Meet NIST SP 800-63B, NYCRR, FFIEC, GDPR, and HIPAA compliance mandates by implementing MFA for cloud applications.

ADSelfService Plus uses the tried and tested Windows Active Directory domain credentials as the first factor of authentication. For the second factor, ADSelfService Plus supports native factors such as SMS/email-based verification codes and third-party authentication providers such as Duo Security, RSA SecurID, RADIUS server, and Google Authenticator.