Multi-Factor Authentication (MFA)

Note: MFA for Endpoints, VPN, and SSO require the Professional Edition of ADSelfService Plus with Endpoint MFA.

ADSelfService Plus' MFA augments the traditional username and password-based authentication with an additional layer of authentication (e.g. biometrics, TOTP codes, or FIDO passkeys) to verify a user's identity. MFA provides a high level of identity assurance for access requests. Click here to explore the benefits of implementing ADSelfService Plus' adaptive MFA features.

You can enable MFA in ADSelfService Plus for the following events:

To enable MFA for these events, follow these steps:

Refer to the Authenticators page for the list of supported authentication methods, and how to configure them.

Combined with Conditional Access, MFA for Endpoints can be enabled only for high-risk users, thus ensuring security without affecting user experience. Click here to learn more about Conditional Access.

Note: Conditional Access can be enabled only for portal logins, self-service password actions, and MFA during Windows, macOS, and Linux logins. It will not take effect for VPN MFA.

How to enable the required authentication methods for a specific set of users

  1. Go to Configuration > Self-Service > Policy Configuration, choose a policy of your choice, and click the Edit icon. You can also create a new policy by clicking the Add New Policy button.
  2. Available-Policies

  3. Click Select OUs/Groups at the bottom right of the webpage, and select the specific set of users to whom you wish to enable multi-factor authentication. Click OK.
  4. Tip:Select the Don't inherit child OU(s) option to only select the parent OUs.

    Select-OU-GROUP

  5. Select the password self-service features (Reset Password, Unlock Account, Self Update, or Change Password) that you wish to enable for the selected users. Click Save Policy.
  6. Save-Policies

  7. Go to Configuration → Self-Service → Multi-Factor Authentication → Authenticator Setup and select a policy from the Choose the Policy drop-down.
  8. Configure the authentication methods that you want to enable for the selected policy.
  9. Authenticator-Setup

  10. Click Save.
  11. Tip: You can choose to configure different authentication methods for different sets of policies. For instance, if Policy 1 can enforce YubiKey OTP, Policy 2 can enforce SAML Authentication, and so on.

How to force users to enroll for specific authentication methods

Users must enroll themselves by providing the necessary information, as per the enabled authentication methods, to be able to prove their identity. For example, if you have enabled Biometric Authentication, users must scan their fingerprint or face using the ADSelfService Plus mobile app, only after which, they will be able to use that method during password reset or endpoint logins.

To force users to enroll for specific authentication methods:

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA Enrollment.
  2. Select Force users to enroll when they log in to the end-user portal option. This will prevent users from accessing other features in the self-service portal before entering their enrollment information.
  3. Select Enforce these authenticators during enrollment and choose the authenticators to be set as mandatory.

  4. MFA/TFA SETTINGS

  5. You can also choose to hide the Enrollment tab in the end-user portal for enrolled users
  6. Click Save Settings.

Authenticators and functions supported by the various MFA types

This table provides detailed information on each MFA type, including the supported authenticators and the settings and options available to improve the functionality and security of the authentication process.

MFA type Authentication methods supported Passwordless login Backup recovery codes CAPTCHA
MFA for self-service actions All the authenticators supported by ADSelfService Plus except for smart card authentication Not applicable Supported Supported
Self-service actions from the GUI machine login screen for Windows, macOS and Linux machines All the authenticators supported by ADSelfService Plus except for SmartCard authentication and FIDO Passkeys. Not applicable Supported Supported
MFA for Windows, macOS, and Linux machine logins All the authenticators supported by ADSelfService Plus except for smart card authentication and FIDO Passkeys Not supported Supported Supported
Offline MFA for Windows and macOS logins
  1. Google Authenticator
  2. Microsoft Authenticator
  3. Custom TOTP Authenticator
  4. Zoho OneAuth TOTP Authenticator
Not applicable Not supported Not supported
MFA for OWA and Exchange admin center All the authenticators supported by ADSelfService Plus except for smart card authentication Not applicable Supported Supported
MFA for RADIUS-based VPNs, RDP, and other endpoints
  1. One-way authenticators
    • Push notification
    • Biometric Authentication
  2. Challenge-based authenticators
    • ADSelfService Plus (TOTP) Authentication
    • Google Authenticator
    • Microsoft Authenticator
    • Yubico OTP (hardware key authentication)
    • Zoho OneAuth TOTP
    • Custom TOTP Authenticator
    • SMS-based and email-based verification code
Not applicable Supported*
(Backup codes can be used only for challenge-based authenticators)
Not applicable
MFA for cloud applications All the authenticators supported by ADSelfService Plus Supported Supported Supported
MFA for ADSelfService Plus logins All the authenticators supported by ADSelfService Plus Supported Supported Supported
MFA type Can an idle time limit be set? Can the browser or machine be trusted not to require MFA for a certain period? Restrict user logins and self-service actions for unenrolled users:
MFA for self-service actions Yes No Deny access to self-service actions when users are unenrolled. Partially-enrolled users can be forced to enroll for the remaining authenticators and proceed with self-service actions.
MFA for Windows, macOS, and Linux logins Yes Yes Deny or allow machine logins for unenrolled users, or enforce enrollment during login attempt.
MFA for OWA and Exchange admin center Yes Yes Access to OWA and Exchange logins is denied for unenrolled users by default.
MFA for RADIUS-based VPNs, RDP, and other endpoints Yes*
(A session time limit is set to enforce users to complete authentication within the specified time)
No Deny or allow logins for unenrolled users.
MFA for cloud applications Yes Yes Deny or allow cloud application logins for unenrolled users.
MFA for ADSelfService Plus logins Yes Yes Deny or allow ADSelfService Plus logins for unenrolled users.

Authenticators supported by the ADSelfService Plus mobile app and mobile browser portal

ADSelfService Plus offers 21 types of authenticators. Of these, eight basic authenticators are available with every edition of ADSelfService Plus. The other 13 are advanced authenticators, available only with the Professional edition of ADSelfService Plus.

This table provides detailed information on the basic and advanced authenticators supported for MFA in the ADSelfService Plus mobile app and mobile browser portal along with provisions for authenticator enrollment in the two consoles.

Authenticator Authenticator type Mobile browser portal Mobile app
Can users enroll in the authenticator in the mobile browser portal? Is the authenticator supported for MFA for ADSelfService Plus logins? Is the authenticator supported for MFA for self-service actions? Can users enroll in the authenticator in the mobile app? Is the authenticator supported for MFA for logins to the ADSelfService Plus Mobile App ? Is the authenticator supported for MFA for self-service actions?
Security Questions and Answers Basic Yes Yes Yes Yes Yes Yes
Email Verification Basic Yes Yes Yes Yes Yes Yes
SMS Verification Basic Yes Yes Yes Yes Yes Yes
Google Authenticator Basic Yes Yes Yes Yes Yes Yes
Microsoft Authenticator Basic Yes Yes Yes Yes Yes Yes
Duo Security Advanced authenticator Yes Yes Yes Yes Yes Yes
Radius Authentication Advanced authenticator No* Yes Yes No* Yes Yes
Push Notification Advanced authenticator No+ No+ No+ Yes No No
QR Code Based Authentication Advanced authenticator No+ No+ No+ Yes No No
Biometric Authentication Advanced authenticator No+ No+ No+ Yes Yes Yes
TOTP Authentication (Using ADSelfService Plus Mobile app) Advanced authenticator No+ No+ No+ Yes No No
AD Security Questions Basic No* Yes Yes No* Yes Yes
Zoho OneAuth TOTP Basic Yes Yes Yes Yes Yes Yes
Custom TOTP authenticator (Hardware Token) Basic Yes Yes Yes Yes Yes Yes
Custom TOTP authenticator (Software Token) Advanced authenticator Yes Yes Yes Yes Yes Yes
Smart Card Authentication Advanced authenticator No* No No No* No No
SAML Authentication Advanced authenticator No* Yes Yes No* Yes Yes
YubiKey Authenticator Advanced authenticator Yes Yes Yes Yes Yes Yes
Azure AD MFA Advanced authenticator No* Yes Yes No* Yes Yes
RSA SecurID Advanced authenticator No* Yes Yes No* Yes Yes
FIDO Passkeys Advanced authenticator Yes Yes Yes Yes No No

* - Users do not have to enroll for these methods because they are automatically enrolled upon logging in the first time.
+ - These authenticators are native to the mobile app and cannot be used in the mobile browser portal.

Thanks!

Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.

 

Need technical assistance?

  • Enter your email ID
  • Talk to experts
  •  
     
  •  
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2024, ZOHO Corp. All Rights Reserved.