Pricing  Get Quote

Windows logon MFA

Windows login multi-factor authentication

Double the protection against security breaches

With the sophistication of security breaches increasing every day, relying only on usernames and passwords to secure users' accounts is no longer an option. It has become necessary to add additional layers of security to filter out unauthorized users. Two-factor authentication (2FA) and multi-factor authentication (MFA)—methods in which user identities are verified with additional authentication methods like biometrics, Google Authenticator, and YubiKey—make this possible.

Logging in to Windows with ADSelfService Plus' MFA feature

With ADSelfService Plus' MFA for Machine Logins feature enabled, users have to authenticate themselves in two successive stages to access their Windows machines. The first level of authentication is through the usual Windows Active Directory credentials. The second level of authentication can be through one of the following:

Implementing two-factor authentication (2FA) or MFA during Windows logins greatly reduces the risk to sensitive data, even in cases where passwords are compromised. This means that even if unauthorized users gain access to a user's password, they still need access to the user's phone or email to get the verification code.

As part of Windows MFA option in ADSelfService Plus, you can enable SMS/email-based OTP, Google Authenticator, YubiKey, biometric, and Duo Security as an additional authentication step. These MFA methods are unique to each user, and hence, are safer than just using passwords.

How MFA for Windows logons works

  • When configured, users logging in to their Windows machines will need Active Directory domain credentials to prove their identities.
  • Next, users must authenticate themselves using the time-sensitive authentication code sent to their SMS or email, or through a third-party authentication provider. Depending on the administrator's configurations, they may need to authenticate themselves through more than one method.
  • Finally, users are logged in to their Windows machines after successful authentication through all factors.

windows logon two factor authentication workflow

Multi-factor authentication for remote desktops

When Windows logon 2FA or MFA is enabled, it adds multiple authentication methods to all local and remote Windows login attempts. MFA is even more important for users trying to access an organization's internal resources remotely.

Virtual private network solutions facilitate remote access but are susceptible to data breaches. ADSelfService Plus offers MFA for VPNs to strengthen VPN security. In addition to the username and password provided to the VPN server by the user, users will need to undergo additional factors of authentication, as configured by the administrator, to be able to access their company's resources.

How 2FA or MFA for Remote Desktop (RDP) works

Weak passwords, frail encryption mechanisms, and lack of access controls are few major vulnerabilities that make RDP connections a common target for malware and ransomware attacks. With organizations adopting hybrid work environment, RDP connections need to be secured thoroughly. In RDP MFA or VPN MFA, we can define the terms under which a particular remote setup goes through 2FA or MFA. For example, RDPs that pass through a particular gateway. The workings of 2FA or MFA for remote desktop are very similar to the local Windows/machine logon methods, except the second or multiple factors of authentication are triggered during the RD gateway connection.

Customize Windows 2FA or MFA for your organization

Administrators can customize ADSelfService Plus' MFA features based on their organization's needs. Some of the different ways in which MFA can be customized are listed below:

  • ADSelfService Plus has the provision for administrators to set a different number of authentication factors for different users. This is a crucial provision, considering that certain users are more prone to having their passwords compromised, such as those working from remote networks rather than those using the office network.
  • Different authentication factors can be enabled for different users based on the OUs and groups to which they belong.
  • ADSelfService Plus also has options to make certain authentication factors mandatory.
  • Administrators have the provision to allow users to log in to their Windows machines without having to go through MFA every time they log in if they are accessing from a trusted device. A trusted device is a device that users have already used to go through the MFA process to authenticate themselves. This saves valuable time for the users.



Improved security

Windows two factor authentication (2FA) and MFA ensure that even if the passwords are compromised, unauthorized users will still need access to the email or phone of an authorized user to be able to log in to their Windows machine. This ensures greater security.


Wide variety of authenticators

There are fifteen different authenticators in ADSelfService Plus, giving IT administrators a wide variety of options to choose from to set up an authentication mechanism for their users.


Different authenticators for different users

ADSelfService Plus also offers administrators the ability to configure MFA based on users' OU, group, and domain memberships. So users with different privileges can have different levels of authentication.


Support for different Windows operating systems

ADSelfService Plus works for Windows Vista and all Windows operating systems released after, including Windows Server 2008 and all Windows Server operating systems released after.

Implementing MFA for RDP across various device types and operating systems

ADSelfService Plus supports remote desktop multi-factor authentication for the following operating systems,

Other endpoints supported:

  • Top VPN providers like Fortinet, Cisco AnyConnect, Pulse, and more
  • Endpoints supporting RADIUS authentication such as Citrix Gateway, VMWare Horizon, and Microsoft Remote Desktop Gateway (RDP)
  • Outlook Web access (OWA) logins

Here's how it works:


Enable MFA for Windows logins:

  • Use one or more of fifteen different available authenticators.
  • Configure MFA based on domain, OU, or group membership.
Try ADSelfService Plus for free!

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, Google Workspace, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management