Two-factor authentication for Windows logons

With the sophistication of security breaches increasing everyday, relying only on usernames and passwords to secure users' accounts is no longer an option. It's essential to add additional layers of security to filter out unauthorized users. This is possible using two-factor authentication (2FA), a method in which users' identities are verified with additional authentication methods like biometrics, Google Authenticator, and YubiKey.

Implementing 2FA for Windows logons with ADSelfService Plus

With ADSelfService Plus' 2FA for Windows server login feature enabled, users have to authenticate themselves in two successive stages to access their Windows machines. The first level of authentication happens using their usual Windows AD credentials. For the second level of authentication, admins can configure one or more authentication factors that ADSelfService Plus offers.

ADSelfService Plus offers 19 different authentication factors for admins to choose from. These ensure that even if an unauthorized user gains access to a user's credentials, they still cannot gain access to the user's machine.

How 2FA for Windows logons works

• When configured, users logging in to their Windows machines will first need their AD domain credentials to prove their identities.
• Next, users must authenticate themselves using the time-sensitive authentication code sent to their SMS or email, or through a third-party authentication provider. Depending on the administrator's configurations, they may need to authenticate themselves through one or more methods.
• Finally, users are logged in to their Windows machines once they have successfully authenticated themselves.
• The 2FA process is prompted even for RDP logons, similar to local logons when configured.

Customize Windows 2FA for your organization

Admins can customize ADSelfService Plus' Windows 2FA feature to suit their organization's needs as follows:

• Different numbers of authentication factors can be configured for different users based on the OUs and groups to which they belong.
• Certain authentication factors can be made mandatory.
• Selected users can be allowed to skip the 2FA process when a trusted device is used. A trusted device is a device that a user has already used to go through the 2FA process. Trust is built only for a particular number of days, after which the user must re-authenticate for the same device.

2FA for remote desktops

With organizations adopting hybrid work environment, RDP connections need to be secured thoroughly. However, weak passwords, frail encryption mechanisms, and lack of access controls are major vulnerabilities that make RDP connections a common target for cyberattacks. When 2FA for Windows logon is enabled, additional authentication methods are added to both local and remote Windows logons.

2FA for remote desktops is similar to the local Windows logon methods, except for the fact that the second authentication factor is triggered during the remote desktop gateway connection.

System requirements for the ADSelfService Plus 2FA login agent

The following are the Windows operating system versions that the ADSelfService Plus login agent supports for Windows logon and RDP access.

Supported versions

Servers

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
• Windows Server 2008

Clients

• Windows 11
• Windows 10
• Windows 8.1
• Windows 8
• Windows 7
• Windows Vista

Apart from the Windows operating system, ADSelfService Plus supports 2FA for macOS and Linux operating systems.