Phishing-resistant MFA with ADSelfService Plus

Attackers predominantly use phishing attacks to steal and misuse user identities. A global Statista study on employee-reported malicious emails revealed that in the first quarter of 2023, 58.2% of malicious emails were credential theft attacks, 40.5% were impersonation attacks, and 1.3% were malware deliveries. Phishing attacks create a sense of urgency and panic in users, who, as a result, easily fall victim to them. It is important for IT administrators to intervene by deploying phishing-resistant authentication methods to prevent such attacks.

What is FIDO2 authentication?

FIDO2 authentication is an open authentication standard developed by the Fast Identity Online (FIDO) Alliance. It uses public key cryptography to authenticate identities. FIDO2 is a passwordless, phishing-resistant authentication standard. It is compatible with various vendors’ authentication mechanisms, including hardware, mobile, and biometric authenticators, and it works in a wide range of browsers and operating systems.

Why is FIDO2 authentication making the news?

FIDO2 authentication is significant in identity management because it is both phishing-resistant and passwordless. It is phishing-resistant because it does not share user credentials between services. FIDO2 uses WebAuthn APIs and public key cryptography to store credentials as encrypted public and private key combinations. During authentication, all data transfers happen using those keys without the credentials being exposed to the network. So, even if a service is compromised, the data obtained cannot be used to access other services. FIDO2 authentication also defends against replay and manipulator-in-the-middle attacks.

FIDO2 authentication is passwordless, which means it replaces passwords with device-native authentication mechanisms (such as Windows Hello and Apple Touch ID) and portable security keys. Passwordless authentication using FIDO2 MFA reduces the additional costs involved in enterprise password management and provides an enhanced login experience for end users.

FIDO2 passwordless authentication with ADSelfService Plus

ADSelfService Plus provides FIDO2 authentication to secure enterprise applications, OWA, and self-service actions performed using ADSelfService Plus’ web portal. It supports both platform FIDO2 authenticators (such as Windows Hello, Apple Touch ID, and Android biometrics) and roaming FIDO2 authenticators (such as YubiKey, Google Titan Security Key, and Precision Biometric InnaITKey). With a simple, interactive console, ADSelfService Plus provides hassle-free FIDO2 enrollment and authentication for end users.

To keep track of users’ enrollment and authentication activity, ADSelfService Plus generates comprehensive FIDO2 reports including data such as each user’s FIDO2 enrollment status, the device used, the credential type, and the timestamp. Using these reports, administrators can instantly disenroll users from FIDO2 credentials upon detecting suspicious activities.

Customizable FIDO2 authenticator configurations in ADSelfService Plus

Comprehensive reports on users’ FIDO2 enrollment statuses

A user-friendly console for easy FIDO2 enrollment and authentication

Benefits of FIDO2 passwordless logins with ADSelfService Plus

  • No passwords or phishing: ADSelfService Plus leverages platform and roaming FIDO2 authenticators to provide passwordless, phishing-resistant authentication.

  • Customizable MFA controls: ADSelfService Plus provides customizable controls for FIDO2 MFA, allowing users to enroll up to three FIDO2 credentials corresponding to various devices and platforms.

Click here to learn more about ADSelfService Plus’ FIDO2 MFA capability and why it’s the ideal choice for your organization. You can also download a free, 30-day trial to explore FIDO2 MFA for yourself. To get a step-by-step walk-through of how to use ADSelfService Plus’ FIDO2 MFA, schedule a free, personalized demo today with one of our solution experts.