MFA for on-premises and cloud applications

The increasing number of enterprise applications in today's hybrid work environment is attracting unwanted attention from attackers trying to steal and misuse identities. Hackers can easily trick users into disclosing their credentials through phishing, keylogger, or manipulator-in-the-middle (MITM) attacks. And traditional authentication mechanisms involving just usernames and passwords cannot withstand these modern-day attacks.

To defend enterprise applications against these cyberattacks, organizations should deploy MFA techniques wherein additional factors aside from usernames and passwords are implemented to fortify end-user application logins. Besides MFA, enterprise applications can also be secured using strong and custom password policies. Click here to learn more about these policies.

Securing enterprise application logins using ADSelfService Plus

ManageEngine ADSelfService Plus, an Active Directory MFA, SSO, and self-service password management solution, protects access to on-premises and cloud applications with strong MFA techniques such as phishing-resistant FIDO2 authentication and biometrics. On enabling SSO using ADSelfService Plus for enterprise applications such as Google Workspace and Salesforce, you can easily secure your organization's user identities.

When SSO is enabled, users must always authenticate themselves in ADSelfService Plus—first using their username and password and then through MFA authenticators chosen by you. Only then will users be able to access applications assigned to them. MFA for enterprise applications ensures that even when hackers compromise a user's credentials, they cannot gain access to the application and its data. ADSelfService Plus supports MFA for on-premises and cloud application logins initiated by both identity providers (IdPs) and service providers (SPs).

How it works

During IdP-initiated logins

• In IdP-initiated SSO, users access necessary applications by first logging in to the ADSelfService Plus portal using MFA.
• While logging in to the ADSelfService Plus portal, users must authenticate themselves with the authentication methods that you have configured for them.
• After successfully logging in to the portal, users can enjoy single-click access to the applications assigned to them from ADSelfService Plus' application dashboard.

During SP-initiated logins

• In SP-initiated SSO, users first access the enterprise application they need and are then redirected to ADSelfService Plus' login page for identity verification.
• In ADSelfService Plus' login page, users must verify their Active Directory credentials after which they need to authenticate themselves with the MFA methods that have been configured for them.
• After successful identity verification, they are redirected back to the application, which they can now access.

A comprehensive set of authentication factors

ADSelfService Plus supports the following authentication methods to secure enterprise applications:

Learn more about the MFA authenticators that ADSelfService Plus supports for on-premises and cloud application logins.

Benefits of MFA for enterprise applications using ADSelfService Plus

• Policy-based security for cloud applications: Apply different authentication factors for different users and even control access to cloud apps by configuring OU- and group-based policies.
• Risk-based automated access control: Deploy conditional access to automatically enforce specific authenticators or change the number of authenticators based on risk factors such as IP address, time of access, device, and geolocation.
• Regulatory compliance: Meet NIST SP 800-63B, GDPR, PCI DSS, and HIPAA compliance mandates by implementing MFA for enterprise applications.

ADSelfService Plus uses the tried-and-tested Windows Active Directory domain credentials as the first factor of authentication. For the second factor, ADSelfService Plus supports strong factors such as biometrics, FIDO passkeys, smart card, Duo Security, RSA SecurID, RADIUS server, Google Authenticator, and verification codes sent via SMS or email.