Pricing  Get Quote


ADSelfService Plus two-factor authentication (2FA)

ADSelfService Plus is an integrated Active Directory tool that can help you drastically reduce password related help-desk calls with its self-service password management and single sign-on features. It is used for password expiration notifications, password policy enforcement, Active Directory 2FA, and much more.

The user-friendly interface helps domain users efficiently self-update personal details, self-service passwords on premises or remotely, and subscribe to mail groups in Microsoft Windows Active Directory. However, access to these self-service features needs to be highly secure, because unauthorized access could lead to sensitive data being exposed. ADSelfService Plus has your users' access covered with two levels of authentication during login.

Two-factor authentication for Windows Active Directory accounts GET STARTED »

Double protection against brute force and dictionary attacks in Active Directory

ADSelfService Plus uses advanced authentication techniques to enforce two-factor authentication for Active Directory during:

  1. Machine (Windows, macOS and Linux systems), VPN and OWA logins. Learn more about Endpoint MFA.
  2. ADSelfService Plus portal login.
  3. Enterprise application logins through single sign-on (SSO). Learn more about Application MFA.
  4. Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screens (when client software is installed).

Supported authentication techniques:

How two-factor authentication works with ADSelfService Plus

Two-factor authentication solution (2FA) for Active Directory user accounts provides added security to users who log on to ADSelfService Plus. Each time users log on, they need to enter the Active Directory domain credentials, which is followed by a verification process. The secondary authentication happens via codes sent through SMS or email, biometrics fingerprint, Duo Security, or RSA SecurID. This ensures that there is no threat to user information, even if someone manages to discover their password.

Supported multi-factor authentication techniques in ADSelfService Plus

Security questions and answers

When this authentication method is enabled, users are required to verify their identity by answering the questions they previously responded to.

SMS and email-based verification codes

When enabled, the SMS and email-based verification method sends a code to the user's phone or email address. The user must enter the uniquely generated code in order to successfully log in each time.

Duo Security authentication

Duo Security is a two-factor authentication service. If you have Duo Security enabled, your identity is verified through a verification code, by call or push notification, from the Duo mobile app.


RSA SecurID is an authentication service in which a one-time passcode is generated in either the RSA mobile app, hardware token, or RSA authentication manager. Users can deploy the unique passcode to prove their identity and securely log in to ADSelfService Plus.

RADIUS Authentication

With RADIUS Authentication, users can verify their identity using their RADIUS password which will in turn facilitate a smooth and secure access to their ADSelfService Plus portal.

Google Authenticator

When Google Authenticator is enabled, the user is required to open the app and enter the code displayed in Google Authenticator to verify their identity.

Push notifications

With push notifications enabled, users will get a login request sent to the ADSelfService Plus mobile app on their registered mobile device. They can either approve the authentication request or press deny to reject unexpected requests.

Fingerprint authentication

With Fingerprint authentication enabled, the user can use their registered mobile device with a fingerprint sensor to prove their identity.

Face ID authentication

By enabling Face ID authentication, the user can use the face recognition system in their registered device for identity verification.

QR code-based authentication

Users simply need to scan the QR code displayed on their ADSelfService Plus web portal from their registered mobile device to prove their identity.

Time-based one-time passcodes (TOTPs)

Users have to enter the 6-digit passcode during the authentication process within a specific amount of time to complete their identity verification.

AD-based security questions

When this method is enabled, the security questions are linked to an AD attribute, and users are successfully authenticated when their answers match that specific attribute value.

Microsoft Authenticator

When Microsoft Authenticator is enabled, the user is required to open the app and enter the code displayed in Microsoft Authenticator to prove their identity.

Yubikey Authenticator

ADSelfService Plus supports Yubikey, an authentication device that identifies itself as a keyboard and delivers the one-time password over the USB HID protocol. Once enrolled, users can use Yubikey to prove their identity.

SAML Authentication

When SAML Authentication is enabled, the user is required to authenticate with the chosen identity provider (IdP) to prove their identity.

Zoho OneAuth TOTP

With Zoho OneAuth TOTP enabled, the user is required to open the Zoho OneAuth app and enter the 6-digit one time passcode to prove their identity.

Custom TOTP Authenticator

Users simply need to enter the one time passcode from the configured custom TOTP application to prove their identity.

Smart Card Authentication

When this method is enabled, a pop-up with a list of certificates to choose from appears in the browser. The chosen certificate is then matched with the userCertificate value in Active Directory for identity verification.


  1. With a two-factor authentication solution, even if a hacker steals a user's password, the hacker would still need access to the user’s mobile or email.
  2. Additionally, the SMS and email-based verification and the authentication requests available in Duo Security and RSA SecurID are unique to each user. They can be used only once, and will expire if they are not used within a certain period of time.
  3. With the extra layer of security provided by two-factor authentication, businesses can now equip end users with various self-service options available in ADSelfService Plus. These authentication options reduce help desk workload and any worries about security.

Safeguard user access to endpoints with with a second factor authentication. 

  • Please enter a business email id
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here


Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management