- Free Edition
- Quick Links
- Multi-factor authentication
- Active Directory MFA
- Endpoint MFA
- Windows login MFA
- Two-factor authentication
- Conditional access
- Offline MFA
- FIDO2 MFA
- Passwordless authentication
- MFA for VPN logons
- MFA for OWA logons
- MFA for Microsoft 365 users
- MFA for UAC
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for Windows servers
- MFA for RDP
- Device-based MFA
- MFA for cloud apps
- Phishing-resistant MFA
- Adaptive MFA
- Password management
- Self-service password reset
- Self-service account unlock
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Web-based domain password change
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Password management and security
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
Two-factor authentication for Windows logons
With password breaches occurring on a daily basis, relying solely on authenticating with usernames and passwords for Windows logins is no longer enough. It's essential to add additional layers of security to filter out unauthorized users. Implementing a two-factor authentication (2FA) solution in your organization adds additional layers of security through authentication methods such as passkeys, biometrics, Google Authenticator, and YubiKey to block unauthorized access.
Implementing 2FA for Windows logon with ADSelfService Plus
With ADSelfService Plus' 2FA for Windows logon feature enabled, users have to authenticate themselves in two successive stages to access their Windows machines. The first level of authentication happens using their usual Windows AD credentials. Admins can choose from a wide range of authentication factors for the second authentication level. Besides Windows machine logins, ADSelfService Plus provides 2FA for RDP logins, Windows User Account Control (UAC) prompts, and Windows servers.
ADSelfService Plus offers the following authentication factors:
- Biometric authentication (e.g., fingerprint, facial recognition)
- FIDO passkeys
- Duo Security
- RSA SecurID
- Entra ID MFA
- RADIUS
- Microsoft Authenticator
- Google Authenticator
- YubiKey authentication
- Email verification
- SMS verification
- Time-based one-time password (TOTP)
- Custom TOTP authenticator
- Zoho OneAuth TOTP
- Push notifications
- QR code-based authentication
- SAML authentication
- Smart card authentication
- Security questions and answers
- AD-based security questions
Click here to learn more about these authentication factors.
ADSelfService Plus offers 20 different authentication factors for admins to choose from. These ensure that even if an unauthorized user gains access to a user's credentials, the machine will still be protected by a second authentication factor.
How does 2FA for Windows logons work?
- When configured, users logging into their Windows machines must first verify their identities using their AD domain credentials.
- Next, they complete the Windows 2FA process by authenticating with a time-sensitive code sent via SMS, email, or a 2FA method configured by the admin. Depending on the configuration, users may need to verify through one or more authentication methods.
- Finally, users are logged in to their Windows machines once they have successfully verified their identities against the configured authentication methods.
- This enterprise 2FA solution supports both local and RDP 2FA, providing enhanced login security.
Customize Windows 2FA to suit your organizational requirements
Admins can customize ADSelfService Plus' Windows 2FA feature to align with their organization's specific security requirements.
- Configure different numbers of authentication factors for users based on their OUs and groups.
- Enforce mandatory authentication factors for enhanced security.
- Allow selected users to skip the Windows 2FA process when using a trusted device. Trusted devices refers to devices that have been previously authenticated through the 2FA process. This trust remains valid for a set period, after which re-authentication is necessary.
This flexible Windows logon 2FA solution ensures secure access while balancing security and convenience. Besides 2FA for Windows logins, ADSelfService Plus also provides 2FA for the following endpoints.
Machine-based 2FA
ADSelfService Plus offers machine-based 2FA, where the Windows logon 2FA is triggered based on the device policy settings rather than individual user account settings. When enabled, all users logging into a specific machine must verify their identities using 2FA. Admins can configure authentication methods for machine-based 2FA, selecting from a range of authenticators similar to those available in the standard Windows logon 2FA feature. Learn more
2FA for remote desktops
ADSelfService Plus offers 2FA for RDP, which secures remote Windows logons with additional authentication methods. It allows admins to prompt 2FA for RDP connections to the client machine (also known as the host machine) or the target machine. On enabling the RDP client-based 2FA feature, IP-based conditional access can be achieved for RDP-based logins. ADSelfService Plus allows admins to customize the authenticators to be prompted for RDP 2FA from the multiple authenticators it offers. Learn more
2FA for Windows Server
Enforcing 2FA for Windows Server logins is crucial for protecting critical servers from unauthorized access. Windows Server often stores sensitive data and runs essential services, making it a gold mine for threat actors. By implementing Windows Server 2FA with authentication methods like biometrics and one-time passwords, ADSelfService Plus ensures that even if credentials are compromised, attackers cannot gain access to your Windows Server instances. This feature is compatible with Windows Server 2008 and above. Learn more
2FA for Windows UAC
ADSelfService Plus offers 2FA for Windows User Account Control (UAC), ensuring elevated system activities on standard user accounts are protected. When enabled, 2FA is triggered for all UAC credential prompts, allowing users to perform administrative actions only after successful identity verification. ADSelfService Plus offers multiple authentication factors for Windows UAC 2FA. This feature is compatible with Windows 7 and above, as well as Windows Server 2008 and above. Learn more
Offline 2FA
ADSelfService Plus provides offline 2FA for Windows machines, ensuring secure Windows login even when users are remote, offline, or unable to connect to the ADSelfService Plus server. Administrators can configure multiple 2FA methods for secure logins. To enable offline access, users must enroll in their chosen authentication factors while online. This Windows 2FA solution enhances security for remote workers, ensuring continuous protection even without internet connectivity. Learn more
System requirements for the ADSelfService Plus 2FA login agent
The following are the Windows OS versions that the ADSelfService Plus login agent supports for enabling 2FA for Windows logon and RDP-based access.
Windows Server
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
Client machines
- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Vista
Apart from the Windows OS, ADSelfService Plus also supports 2FA for macOS and Linux OSs.
Benefits of implementing password policies using ADSelfService Plus
- Improved security: Windows 2FA ensures improved security so that even if the passwords are compromised, unauthorized users will still need access to the email or phone of an authorized user to be able to log in to the Windows machines.
- Wide variety of authenticators: There are 20 different authenticators in ADSelfService Plus, giving IT administrators a wide variety of options to choose from to set up an authentication mechanism for their users.
- Different authenticators for different users: ADSelfService Plus also offers administrators the ability to configure 2FA based on users' OUs, groups, and domain memberships. So users with different privileges can have different levels of authentication.
- Device trust options for an enhanced user experience: With ADSelfService Plus, users can enable the trusted devices option to quickly log in to their machines without performing 2FA for a specified duration after initial identity verification.
FAQs
Windows two-factor authentication (2FA) means securing logons to Windows machines using more than one factor of authentication to verify a user's identity before giving them network access.
Windows supports MFA, but not natively. You'll need to implement it through a third-party 2FA solution like ADSelfService Plus.
Yes, by implementing 2FA for Windows logins, you can add extra layers of security to users' machines. Guarding machine logons using only a single factor—traditionally a username and password—leaves them vulnerable to attacks. However, incorporating additional authentication measures fortifies machines in your organization and safeguards them against breaches and attacks.
By using ADSelfService Plus to secure Windows and RDP-based logins, you can choose your preferred methods from a range of authenticators like biometrics, Duo Security, push notification authentication, Microsoft Authenticator, Google Authenticator, YubiKey, and email verification.
You can safeguard Windows machines in your organization by implementing ManageEngine ADSelfService Plus' Windows logon 2FA for local and remote logons. Apart from Windows machines, ADSelfService Plus provides 2FA for Linux and macOS machines as well. You can also enjoy other 2FA features of ADSelfService Plus, like:
To gain a better understanding of ADSelfService Plus' 2FA capability, please schedule a personalized web demo with one of our solution experts or download a free, 30-day trial to explore the solution on your own.
You can easily deploy 2FA for the machines in your organization with a few simple steps using ADSelfService Plus. ADSelfService Plus allows you to enable more than two authenticators during logins and includes strong authenticators such as biometrics and YubiKey.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
