Multi-factor authentication techniques in ADSelfService Plus

Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication.

Why multi-factor authentication?

Authentication based solely on usernames and passwords is no longer considered secure. Password-based authentication alone leaves user accounts vulnerable to threats like brute-force and dictionary attacks. To mitigate such security risks, ADSelfService Plus verifies users' identities using multi-factor authentication along with the default Active Directory credentials. ADSelfService Plus uses multi-factor authentication for identity verification during:

• Windows, macOS, and Linux logins (when ADSelfService Plus client software is installed).
• ADSelfService Plus portal login.
• Enterprise application logins through single sign-on (SSO).
• Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows, macOS, and Linux login screens (when the ADSelfService Plus client software is installed).
• VPN logins (when the Network Policy Server extension is installed).
• Outlook on the web (OWA) logins(when the Internet Information Services multi-factor authentication extension is installed).

Various authentication techniques available in ADSelfService Plus

1. FIDO passkeys: FIDO2 authentication, developed by the Fast Identity Online (FIDO) Alliance, uses Web Authentication (WebAuthn) APIs and public key cryptography for identity verification. FIDO2 authentication is passwordless and resists phishing, replay, and manipulator-in-the-middle (MITM) attacks. With ADSelfService Plus, you can enable FIDO2 authentication to secure enterprise apps, OWA, and web-based self-service activities. Users can authenticate with passwordless methods such as Windows Hello, Apple Touch ID, Android biometrics, and FIDO2- and U2F-compliant security keys.
2. Biometric authentication: Users with Android or iOS mobile devices containing a fingerprint or facial sensor can use this method for identity verification. Enrollment is performed using the ADSelfService Plus mobile app. The steps to enroll will be displayed on the Enrollment tab once the administrator configures this method. During MFA, users have to scan their finger or face and click Accept for successful authentication.
3. YubiKey Authenticator: YubiKey is a hardware device that uses codes for multi-factor authentication. Enrollment is done by either plugging the YubiKey device into the workstation and pressing its button (in the case of the ADSelfService Plus end-user portal) or tapping it against the mobile device (in the case of the ADSelfService Plus mobile app). When this is done, the code is automatically updated in the field provided in ADSelfService Plus. Users have to follow the same steps to verify their identity during multi-factor authentication.
4. RSA SecurID: RSA SecurID is another method that uses passcodes for multi-factor authentication. For enrollment, users enter the passcode provided by the administrator. Then, to prove their identity, users enter a one-time passcode generated via:
   • A hardware token.
   • The RSA SecurID mobile app.
   • Tokens received by email or SMS.
5. Duo Security: Duo Security is an authentication solution that uses methods like:
   • SMS-based verification codes.
   • Phone call-based verification.
   • App-based verification codes.
   • Push notifications.

   Once configured, users have to either enter a code that they receive or accept a notification to authenticate themselves. For enrollment, users are required to mention which method they will be using for multi-factor authentication.

6. Azure AD MFA: Organizations with Azure AD MFA already enabled can use the existing configuration and let users authenticate through the pre-enrolled authentication methods in Azure AD. Supported methods include:
   • Microsoft Authenticator app-based push notifications.
   • Microsoft Authenticator app-based verification codes.
   • Phone-call-based verification.
   • SMS-based verification.
   • OATH hardware tokens using Yubico, DeepNet Security, and more.
7. RADIUS: RADIUS uses passcodes for multi-factor authentication. Users are automatically enrolled when the administrator configures RADIUS authentication. For multi-factor authentication, they simply have to enter the RADIUS password provided by the administrator.
8. Google Authenticator: Google Authenticator is an app that uses timed codes for authentication. To verify user identity, the app generates a timed code that the users will have to enter to authenticate themselves. Users have to enroll by using the app to scan the QR code displayed under the Enrollment tab in the ADSelfService end-user portal.
9. Microsoft Authenticator: The Microsoft Authenticator app generates a timed code that the users will have to enter to authenticate themselves. For enrollment, users have to install the Microsoft Authenticator app and configure it with ADSelfService Plus using the bar code given in the self-service portal under the Enrollment tab.
10. SMS-based verification code: For this method, users have to enter a one-time code sent to their mobile device to verify their identity. Administrators can either choose the mobile number from the users' Active Directory profiles, or let the users specify another number while enrolling.
11. Email-based verification code: In this method, a one-time code is sent to the user's email address. Administrators can either choose the email address from the users' Active Directory profiles or let the users specify another email address while enrolling.
12. Time-based one-time password (TOTP): TOTP-based authentication is also performed using the ADSelfService Plus mobile app. After enrollment, authentication is performed similar to the methods mentioned above: Users receive a TOTP every time they have to prove their identity. They have to enter the TOTP within a specific period of time to authenticate themselves.
13. Custom TOTP authenticator: Custom TOTP apps used by organizations can also be extended as an authentication method for ADSelfService Plus' multi-factor authentication feature. The enrollment process will depend on the app's capabilities. To authenticate, users will have to enter the TOTP displayed on the app in the field provided in the product portal within the specified time.
14. Zoho OneAuth TOTP: Zoho OneAuth is an app that offers multi-factor authentication and single sign-on for enterprise accounts. The app's TOTP feature can be leveraged by ADSelfService Plus and used as an authentication method. To enroll, users need to scan a QR code displayed in the product portal using the Zoho OneAuth app. Once enrolled, they can authenticate by entering the TOTP displayed on the app in the field provided in the portal within the specified time.
15. Push notifications: Push notifications are received through the ADSelfService Plus mobile app installed in the users' mobile devices. Enrollment can only be done through the mobile app. The steps are mentioned under the Enrollment tab after the administrator enables push notifications. Once enrolled, users receive a notification that they need to accept in order to prove their identity.
16. QR code-based authentication: When this method is enabled, users have to scan the QR code displayed in the ADSelfService Plus end-user portal using the ADSelfService Plus mobile app and select Accept to prove their identity. Users can enroll using the app by following the steps displayed under the Enrollment tab.
17. SAML authentication: Organizations that already use SAML-based identity provider (IdP) applications such as Okta or OneLogin can use SAML authentication as a method to verify users' identities. When SAML authentication is enabled, users are redirected to their IdP login URL for authentication only when they perform self-service password reset or account unlock in ADSelfService Plus. Enrollment is not required for this method.
18. Smart Card Authentication: This method is applicable only for multi-factor authentication during product portal logins and enterprise application logins. A user is authenticated after ADSelfService Plus compares the certificate file on the user's machine with the one in AD. Enrollment automatically occurs when the user authenticates for the first time.
19. Security questions and answers: This method consists of a predefined set of personal questions such as "What is your favorite color?" These questions can be configured by administrators or users. Users can enroll by either defining custom questions and answers or providing answers to administrator-defined questions. They have to provide the correct answer to these questions during identity verification.
20. AD-based security questions: In this method, the administrator sets up AD-based questions that are linked to existing or custom AD attributes such as Social Security numbers. To prove their identity, users have to enter an answer that is then compared with the attribute value in AD for their user account. If they match, the user is authenticated. This method does not require user enrollment.

Benefits of using ADSelfService Plus for multi-factor authentication

• Comprehensive enterprise security: Multiple remote and local points of access into the enterprise network can be secured from credential-based attacks.
• Granular feature configuration: Specific authentication methods can be enabled for users belonging to particular OUs, groups, and domains. Certain enterprise endpoints can also be protected with multi-factor authentication depending on these user criteria.
• Regulatory compliance: Multi-factor authentication helps comply with regulations such as the GDPR, the PCI DSS, the HIPAA, and the NIST Cybersecurity Framework.
• Passwordless authentication: Enterprises can forgo Active Directory domain passwords and use only multi-factor authentication to verify user identities.