Authentication

Configuring QR code-based authentication for Active Directory-based actions

QR code-based authentication is a type of multi-factor authentication method that involves scanning a QR code with an app in order to verify one's identity. When authenticating into a service using MFA, users need to provide their account credentials upon validation of which a QR code will be displayed. Users simply need to scan this code using the authentication app on their mobile device. As scanning the code takes mere seconds making this a quick and simple method, it is widely employed for a variety of identity verification applications.

A much-needed implementation of QR-code based MFA would be during the Active Directory user actions. By default, domain logins and self-service actions like password reset and account unlock only require users to enter their domain account credentials. Including QR-code based authentication provides a boost of security that is essential during such sensitive actions. A perfect solution would be a product that features self-service actions like password reset, account unlock, and directory self-update that are secured by QR-code based authentication and other MFA methods.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, is one such product. Its MFA feature secures not just self-service actions but also:

1. Windows, macOS, and Linux logins.
2. Enterprise application logins through single sign-on (SSO).
3. Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.

ADSelfService Plus supports MFA with 15 methods of authentication including QR code-based authentication, Google Authenticator, YubiKey Authenticator, and RSA SecurID.

QR code-based authentication for MFA can be enabled with minimal steps in ADSelfService Plus

1. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
2. From the Choose the Policy drop-down, select a policy.

   Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected.

3. Click QR Code-based Authentication section.
4. Select Enable QR Code-based Authentication.

Note: Users need to download the ADSelfService Plus iOS or Android mobile app to use this authentication technique.

Enable QR code-based authentication for Active Directory password resets

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. Go to MFA/TFA Settings. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select QR Code Based Authentication along with the other authentication techniques to be used.
2. Click Save Settings.

Enable QR code-based authentication for Active Directory domain logins

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the Endpoint MFA section, select QR Code Based Authentication from the drop-down.
2. Enable the Bypass TFA if ADSelfService Plus is down option.
3. Click Save Settings.

Note:

To enable MFA for Active Directory domain logins:

• The ADSelfService Plus login agent must be installed on client machines. Click here for steps on login agent installation.
• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option.

Learn more about ADSelfService Plus and its Multi-factor Authentication feature.