Allowing end users to reset their password or unlock their account poses risks. It is not uncommon for an attacker to masquerade as a valid user to steal credentials. To ensure that only the intended users access the self-service portal, stringent authentication procedures to establish users’ identities are mandatory.
To ensure that only authorized users access the self-service login portal, ADSelfService Plus employs the following authentication methods to verify the identity of users:
Administrators have the flexibility to choose all authentication procedures or a combination of the available methods based on their needs.
Users enroll with ADSelfService Plus by answering a series of personal questions; the answers are then stored securely in the ADSelfService Plus database after encryption. To reset their passwords or to unlock their accounts, users are required to verify their identity by answering the questions they previously added.
Administrators can further strengthen identity verification by providing additional restrictions on the questions and answers.
When a user attempts to reset their password or unlock their account, a verification code is sent to the user's mobile number or email address. Administrators also have the provision to send a secure link via email with which the user can reset their password. Administrators can configure the number of invalid attempts after which the user will be temporarily blocked from logging in.
Note: Administrators can configure ADSelfService Plus to pull the mobile number and email address information from the corresponding LDAP attributes in Active Directory.
ADSelfService Plus supports Google Authenticator, a widely used third-party authentication application for mobile phones. Users enroll with ADSelfService Plus by scanning a QR code. When performing any self-service operation, the user is required to enter the code that is displayed in Google Authenticator to verify their identity.
In addition to Google Authenticator, administrators can use other third-party, time-based authenticators such as Microsoft Authenticator or Sophos Authenticator.
In order to prevent malicious users from taking multiple guesses at the answers, administrators can set up a temporary block for any account that racks up a specified number of wrong answers within a stipulated time.
The identity verification process starts when the user accesses the ADSelfService Plus application and clicks on the ‘Reset Password’ or ‘Unlock Account’ link. After the user enters their username and the domain, the ADSelfService Plus server performs a series of security checks.
Domain affiliation check: Checks if the user is affiliated with the specified domain.
Policy settings check: Checks if the user has permission to reset the password or unlock the account through ADSelfService Plus. ADSelfService Plus policies can be configured so that only certain necessary features are made available to the end user.
Enrollment status check: hecks if the user has enrolled with ADSelfService Plus by answering the security questions, updating their mobile number or email address, and synchronizing their Google Authenticator account. Only enrolled users are allowed to reset passwords and unlock accounts.
Blocked users check: Checks if the user account is blocked by the ADSelfService Plus server from performing self-service actions due to multiple invalid actions. Users who fail to enter the correct verification code and/or answer(s) to the security question(s) will be blocked by the application after a certain number of attempts as set by the ADSelfService Plus administrator. This ensures security from Bot-based attacks, Denial-of-service attacks, and other types of attacks.
Once the preliminary checks are complete, the product proceeds to verify the identity of the user by running the authentication procedures configured by the administrator.
Added layer of security: The widely used question-and-answer security method, employed in social media, has become flawed because users supply questions and answers that are easy for hackers to find. By adding verification codes and Google Authenticator to the identity verification process, ADSelfService Plus has made accounts more secure.
User friendly: Easy access to email and mobile phones has made those devices a simpler option for users to manage their accounts on the go.
Power to the administrator: Administrators have complete control over whether to choose any one or all of the authentication modes for added security.
Whenever a self-service action is completed for a user, the user receives an email notification from ADSelfService Plus. The email notification acts as an alert in case of unauthorized account activity and allows the user to react and prevent further damage.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.