Pricing  Get Quote


ADSelfService Plus two-factor authentication (2FA)

Passwords can no longer be considered the only reliable factor for authentication. Consider this:

  • According to a report by Verizon, 80% of data breaches are caused by poor or reused passwords.
  • The dark web has over a whopping 15 billion stolen passwords. These could be used in attacks like credential stuffing or password spraying.
  • Google reports that 24% of Americans use common passwords like "password" and "Qwerty" and that 43% of Americans have shared their password with someone.

If passwords were the only mode of authentication, all it would take is one user's weak or stolen password to infiltrate your IT environment. Many infamous cyberattacks on large-scale industries such as Colonial Pipeline and Ireland’s Health Service Executive started with one exposed password.

What is two-factor authentication (2FA)?

As the name indicates, 2FA uses two factors to verify users who attempt to log in to applications or endpoints. One of the factors is usually a password. The other could be anything ranging from a security question to an OTP, biometrics, or a hardware token.

With a second factor of authentication in addition to passwords, the chances of a successful cyberattack are drastically reduced, solidifying your organization's security posture.

In addition to easing HIPAA, GDPR, PCI DSS, SOC 2, SOX, and GLBA compliance, 2FA also helps organizations with procuring cyber insurance. Most cyber insurance companies require 2FA following the surge in cyberattacks and an executive order that requires federal agencies in the United States to implement 2FA.

Double protection against brute-force and dictionary attacks

ADSelfService Plus uses advanced authentication techniques to enforce Active Directory 2FA during:

  1. Machine logins (Windows, macOS, and Linux systems).
  2. RDP and VPN logins.
  3. Enterprise application logins through single sign-on (SSO). Learn more about Application MFA.
  4. OWA logins.

Why choose ADSelfService Plus' 2FA?

ADSelfService Plus offers a myriad of concrete authentication factors such as YubiKey, smart card, biometric, Google Authenticator, and Microsoft Authenticator, and admins can enable them in just a few clicks.

ADSelfService Plus offers a wide range of both hardware and software authentication factors. It also offers the flexibility to enable different authentication factors for different sets of users to ensure security without compromising productivity.

How two-factor authentication works with ADSelfService Plus

AD 2FA for user accounts provides added security to your IT environment. Each time users log on, they need to enter the AD domain credentials, which is followed by a verification process. The secondary authentication happens via YubiKey, smart card, biometric, RSA SecurID, or other factors. This ensures that there is no threat to user information, even if someone manages to discover their password.

ADSelfService Plus two-factor authentication (2FA)

Supported authentication techniques:

Supported multi-factor authentication techniques in ADSelfService Plus

Security questions and answers

When this authentication method is enabled, users are required to verify their identity by answering the questions they previously responded to.

SMS and email-based verification codes

When enabled, the SMS and email-based verification method sends a code to the user's phone or email address. The user must enter the uniquely generated code in order to successfully log in each time.

Duo Security authentication

Duo Security is a two-factor authentication service. If you have Duo Security enabled, your identity is verified through a verification code, by call or push notification, from the Duo mobile app.


RSA SecurID is an authentication service in which a one-time passcode is generated in either the RSA mobile app, hardware token, or RSA authentication manager. Users can deploy the unique passcode to prove their identity and securely log in to ADSelfService Plus.

RADIUS Authentication

With RADIUS Authentication, users can verify their identity using their RADIUS password which will in turn facilitate a smooth and secure access to their ADSelfService Plus portal.

Azure AD MFA

If you use Azure AD MFA to secure logons in your IT environment, you can also configure Azure AD MFA for ADSelfService Plus' 2FA. This not only simplifies things for the admin but also offers a familiar mode of authentication for users.

Google Authenticator

When Google Authenticator is enabled, the user is required to open the app and enter the code displayed in Google Authenticator to verify their identity.

Push notifications

With push notifications enabled, users will get a login request sent to the ADSelfService Plus mobile app on their registered mobile device. They can either approve the authentication request or press deny to reject unexpected requests.

Fingerprint authentication

With Fingerprint authentication enabled, the user can use their registered mobile device with a fingerprint sensor to prove their identity.

Face ID authentication

By enabling Face ID authentication, the user can use the face recognition system in their registered device for identity verification.

QR code-based authentication

Users simply need to scan the QR code displayed on their ADSelfService Plus web portal from their registered mobile device to prove their identity.

Time-based one-time passcodes (TOTPs)

Users have to enter the 6-digit passcode during the authentication process within a specific amount of time to complete their identity verification.

AD-based security questions

When this method is enabled, the security questions are linked to an AD attribute, and users are successfully authenticated when their answers match that specific attribute value.

Microsoft Authenticator

When Microsoft Authenticator is enabled, the user is required to open the app and enter the code displayed in Microsoft Authenticator to prove their identity.

YubiKey Authenticator

ADSelfService Plus supports Yubikey, an authentication device that identifies itself as a keyboard and delivers the one-time password over the USB HID protocol. Once enrolled, users can use Yubikey to prove their identity.

SAML Authentication

When SAML Authentication is enabled, the user is required to authenticate with the chosen identity provider (IdP) to prove their identity.

Zoho OneAuth TOTP

With Zoho OneAuth TOTP enabled, the user is required to open the Zoho OneAuth app and enter the 6-digit one time passcode to prove their identity.

Custom TOTP Authenticator

Users simply need to enter the one time passcode from the configured custom TOTP application to prove their identity.

Smart Card Authentication

When this method is enabled, a pop-up with a list of certificates to choose from appears in the browser. The chosen certificate is then matched with the userCertificate value in Active Directory for identity verification.


  1. With a two-factor authentication solution, even if a hacker steals a user's password, the hacker would still need access to the user’s mobile or email.
  2. 2FA helps with HIPAA, GDPR, PCI DSS, SOC 2, SOX, and GLBA compliance and with procuring cyber insurance.
  3. Ensure ease-of-use without sacrificing security by configuring different levels of authentication factors for users with different levels of privileges.

Safeguard user access to endpoints with with a second factor authentication. 

  • Please enter a business email id
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here


Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management