A few decades ago, organizations were content knowing their network resources were password protected. With the increasing number of security breaches and digital crime, being password protected doesn’t carry as much weight as it once did.

According to Verizon’s 2018 Data Breach Investigations Report, 81 percent of data breaches in 2017 were due to stolen user credentials. The reason hackers target passwords is because passwords don’t discriminate between users and hackers. The moral of the story: Passwords are vulnerable, and trying to make user accounts more secure with alphanumeric, special-character passwords is a futile endeavour.

Two-factor authentication (TFA)

Hack-proof passwords are a myth. So, what else can we do to secure data? In addition to making our passwords stronger, we must add an extra layer of security to the authentication process. TFA double-checks that users are who they say they are by combining something they know, like their username and password, with something that uniquely identifies them, like one-time passwords (OTPs) through SMS or email.

TFA adds a second step to the verification process, which makes hacking information twice as tricky. Even if a malicious user gets your password from traditional hacking techniques like brute-force or through data hoarding sites, they would still need the OTP sent to you to execute a successful data breach.

Logging in to Windows with ADSelfService Plus

With ADSelfService Plus‘ Windows Logon TFA feature enabled, users have to authenticate themselves in two successive stages to access their Windows machines. Users are authenticated first through the domain credentials and second through one of the following:

  1. SMS or email-based OTPs.

  2. DUO Security (via phone call or push notifications).

  3. RSA SecurID.

  4. RADIUS.

ADSelfService Plus’ TFA in action

  1. When users log in to their Windows machine, they will be prompted to enter their AD domain username and password as the first level of authentication. After successful authentication, the ADSelfService Plus authentication wizard will open.

  2. Next, users will be asked to authenticate themselves with an OTP or through a third-party identity provider.

  3. Once their identity is verified, users are successfully logged in to their Windows machines.


                                Figure 1: How Windows logon with TFA works.

There’s more!

  • Enforce TFA at the granular level: Everyone has different needs. Some users would be comfortable with OTPs and others with push notifications. ADSelfService Plus offers the ability to configure TFA based on domain, OU, or group membership, so you can keep everyone happy.

Best of all, ADSelfService Plus is completely free to use for up to 50 users. So go ahead and give ADSelfService Plus a try to see all these features in action yourself.

This site uses Akismet to reduce spam. Learn how your comment data is processed.