As a general rule, administrators need to consider additional security measures when they grant end users control over their own password resets and account unlocks. Security questions are one option, but they have proven to be weak and easy to crack (just ask the Hollywood celebrities!). It makes sense to include multi-factor authentication for when end users reset their own passwords, as it not only increases security, but it is also a process end users are already familiar with due to their experience with web-based applications.
ADSelfService Plus from ManageEngine provides multi-factor authentication with three options:
- SMS to mobile phone
- Google Authenticator
You can see the options for multi-factor authentication in Figure 1.
Figure 1. Multi-factor authentication in ADSelfService Plus.
This added level of security will ensure that your users must prove they are legitimate before they can reset their password or unlock their account. Since these authentication methods do not require that the user input an existing password, these added security measures increase security of the overall process and your network.
If you already have ADSelfService Plus, be sure to check out these new features. If you do not have ADSelfService Plus, you can give it a test run by downloading it here.