Pricing  Get Quote
 
 

Windows logon MFA

Self Service Password Management » Features » Windows logon MFA

Windows login multi-factor authentication

Double the protection against security breaches

With the sophistication of security breaches increasing every day, relying only on usernames and passwords to secure users' accounts is no longer an option. It has become necessary to add additional layers of security to filter out unauthorized users. Two-factor authentication (2FA) and multi-factor authentication (MFA)—methods in which user identities are verified with additional authentication methods like biometrics, Google Authenticator, and YubiKey—make this possible.

Logging in to Windows with ADSelfService Plus' MFA feature

With ADSelfService Plus' MFA for Machine Logins feature enabled, users have to authenticate themselves in two successive stages to access their Windows machines. The first level of authentication is through the usual Windows Active Directory credentials. The second level of authentication can be through one of the following:

  1. Security questions and answers
  2. Email verification
  3. SMS verification
  4. Google Authenticator
  5. Duo Security
  6. RSA SecurID
  7. RADIUS
  8. Push notification
  9. Fingerprint
  1. Face ID authentication
  2. QR code-based authentication
  3. Microsoft Authenticator
  4. TOTP Authenticator
  5. AD-based secret questions
  6. SAML-based authentication
  7. YubiKey Authenticator
  8. Zoho OneAuth TOTP
  9. Custom TOTP Authenticator

Implementing MFA during Windows logins greatly reduces the risk to sensitive data, even in cases where passwords are compromised. This means that even if unauthorized users gain access to a user's password, they still need access to the user's phone or email to get the verification code.

On top of this, SMS and email-based verification codes along with authentication codes from Google Authenticator, YubiKey, Microsoft Authenticator, and Duo Security are unique to each user. These codes can only be used once and will expire if they aren't used within a certain period.

Multi-factor authentication for remote desktops

When Windows logon MFA is enabled, it adds MFA to all local and remote Windows login attempts. MFA is even more important for users trying to access an organization's internal resources remotely.

Virtual private network solutions facilitate remote access but are susceptible to data breaches. ADSelfService Plus offers MFA for VPNs to strengthen VPN security. In addition to the username and password provided to the VPN server by the user, users will need to undergo additional factors of authentication, as configured by the administrator, to be able to access their company's resources.

How MFA for Windows logons works

  • When configured, users logging in to their Windows machines will need Active Directory domain credentials to prove their identities.
  • Next, users must authenticate themselves using the time-sensitive authentication code sent to their SMS or email, or through a third-party authentication provider. Depending on the administrator's configurations, they may need to authenticate themselves through more than one method.
  • Finally, users are logged in to their Windows machines after successful authentication through all factors.

windows logon two factor authentication workflow

Customize MFA for your organization

Administrators can customize ADSelfService Plus' MFA features based on their organization's needs. Some of the different ways in which MFA can be customized are listed below:

  • ADSelfService Plus has the provision for administrators to set a different number of authentication factors for different users. This is a crucial provision, considering that certain users are more prone to having their passwords compromised, such as those working from remote networks rather than those using the office network.
  • Different authentication factors can be enabled for different users based on the OUs and groups to which they belong.
  • ADSelfService Plus also has options to make certain authentication factors mandatory.
  • Administrators have the provision to allow users to log in to their Windows machines without having to go through MFA every time they log in if they are accessing from a trusted device. A trusted device is a device that users have already used to go through the MFA process to authenticate themselves. This saves valuable time for the users.

Benefits

 

Improved security

MFA ensures that even if the passwords are compromised, unauthorized users will still need access to the email or phone of an authorized user to be able to log in to their Windows machine. This ensures greater security.

 

Wide variety of authenticators

There are fifteen different authenticators in ADSelfService Plus, giving IT administrators a wide variety of options to choose from to set up an authentication mechanism for their users.

 

Different authenticators for different users

ADSelfService Plus also offers administrators the ability to configure MFA based on users' OU, group, and domain memberships. So users with different privileges can have different levels of authentication.

 

Support for different Windows operating systems

ADSelfService Plus works for Windows Vista and all Windows operating systems released after, including Windows Server 2008 and all Windows Server operating systems released after.

Here's how it works:

windows-logon-tfa-workflow

Enable MFA for Windows logins:

  • Use one or more of fifteen different available authenticators.
  • Configure MFA based on domain, OU, or group membership.
Try ADSelfService Plus for free!
Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, Google Workspace, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products