Identity verification

Admins can use the MFA methods offered by ADSelfService Plus to protect resources in your organization. To access these resources, you must first enroll in ADSelfService Plus for the MFA methods configured by your administrator. Learn how.

Once enrolled, you can access your resources using those MFA methods. Your identity is verified using the information you provided during the enrollment process.

Here is a list of authentication techniques available in ADSelfService Plus:

• Security Questions and Answers: You must provide valid answers to security questions to verify your identity. Click here for the detailed identity verification steps.
• Verification code: You must enter a code sent via SMS (SMS verification) or email (Email verification) to verify your identity. Click here for the detailed steps.
• Google Authenticator: You will need to verify your identity using a TOTP code generated by the Google Authenticator app. Click here for the detailed steps.
• Microsoft Authenticator: You will need to verify your identity using a TOTP via the Microsoft Authenticator app. Click here for the detailed identity verification steps.
• Azure AD MFA: In this method of authentication, you will be required to authenticate your identity using any of the following Azure AD MFA methods configured by your organization:
  • Verification code via Microsoft Authenticator, hardware token, or SMS.
  • Push notification via Microsoft Authenticator.
  • Authentication phone call.

  Click here for the detailed identity verification steps.

• Duo Security: You must use a Duo Security push notification, call, or code to verify your identity. Click here for the detailed steps.
• RSA SecurID: You must use an RSA SecurID token or passcode to verify your identity. Click here for the complete configuration steps.
• RADIUS Authentication: If this method of authentication is enforced, you will be required to authenticate your identity using your RADIUS password and secondary authentication, if configured by your administrator, before you can perform the requested action. Click here for the detailed steps.
• Authentication using the ADSelfService Plus app: You must use a push notification ( Push Notification Authentication ), scan your fingerprint or face ( Biometric authentication ), a QR code (QR Code Authentication), or a time-based, one-time passcode (TOTP Authentication) generated by the ADSelfService Plus mobile app to verify your identity. Click here for the detailed identity verification steps.
• SAML Authentication: You will be automatically redirected to your identity provider to verify your identity. Once you verify your identity successfully, you will be logged in.
• Active Directory Security Questions: You must enter a valid answer to an Active Directory security question to verify your identity. Set by your administrator, the Active Directory security questions will be from your AD profile information, such as the mobile number or email address registered in AD.



Sometimes, it might also include a secret answer provided by your administrator.

• Yubikey Authentication: You must enter a valid one-time-passcode (OTP) generated by the Yubikey. Click here for the detailed steps.
• Zoho One Auth TOTP: You must enter the TOTP generated by the Zoho OneAuth app to verify your identity. Click here for the detailed steps.
• SmartCard Authentication: Your admin might add your smart card certificate(s) to your machine's certificate store, or you will have to place the smart card issued to you by your organization against the card reader. If prompted, you will need to enter the smart card PIN. This PIN and the information on the card will be compared with your enrollment information, and your identity will be verified if they match.
• Custom TOTP Authentication: You must enter the code generated by your custom hardware or software TOTP authenticator to verify your identity.
• FIDO Passkeys: You must either use the in-built (platform) authentication such as Windows Hello, Android Biometrics, Apple Touch ID/FaceID, etc., on the device you are using to access the self-service portal, or portable (roaming) authenticators like YubiKeys, Google Titan keys or even platform authenticators on smartphones (other than the smartphone you might be currently using to access the portal), to verify your identity. Click here for the detailed steps.

Note: Your admin might choose to enforce any or all of the authentication techniques available in ADSelfService Plus. Based on the enforced multi-factor authentication techniques, you'll need to provide certain information. For example, if your admin has enforced security questions and answers as the method of authenticating your identity. You'll then need to provide appropriate answers to the displayed questions.

How to verify your identity with ADSelfService Plus

Security questions and answers

1. A set of security questions defined by you or your administrator during enrollment will be displayed on the verification page.



2. Provide the appropriate answers and click Continue to verify your identity.

Verification codes

a. Get a verification code on your mobile (SMS verification)

1. On the SMS verification page, select the number to which you want the OTP code to be sent.



2. An OTP will be sent to the number you select.



3. Enter the code in the textbox displayed by ADSelfService Plus and click Continue to verify your identity.

b. Get a verification code sent to your email address (Email verification)

1. On the Email verification page, select the email address to which you want the code to be sent.



2. An OTP will be sent to the email address you select.



3. Enter the code in the textbox displayed by ADSelfService Plus and click Continue to verify your identity.

Google Authenticator

1. Open your Google Authenticator app. It will display a six-digit TOTP generated for your account.



2. Enter the TOTP in the Enter the code field displayed by ADSelfService Plus and click Continue to verify your identity.

Microsoft Authenticator

1. Open your Microsoft Authenticator app. It will display a six-digit TOTP generated for your account.



2. Enter the TOTP in the Enter the code field displayed by ADSelfService Plus and click Next to verify your identity.

Azure AD MFA

1. On the Azure AD MFA verification page, click Continue to proceed with verifying your identity.



2. Depending on the enrolled authentication method, you may:
   • Receive the verification code via Microsoft Authenticator, hardware token, or SMS.
   • Receive a push notification via Microsoft Authenticator or an authentication phone call.
3. Identity verification:
   • If you've enrolled in push notifications or a phone call, you'll be notified via your mobile device. Complete the verification by accepting the push notification or by following the instructions given in the call.
   • If you've enrolled in a verification code-based method, enter the code in the field that appears.



4. Click Continue to verify your identity.

Duo Security

1. On the Duo Security verification page, choose your preferred authentication method to proceed with verifying your identity.



2. Depending on how Duo is configured in your organization, you will either be shown a field to enter this code or TOTP, or be directed to Duo's site to enter the code or TOTP.
3. Enter the code and click Next to verify your identity.

Managing enrolled devices

To add or remove Duo-registered devices, click the icon.

You will be asked to verify your identity before making changes. The Duo Device Management portal will open in a new tab after you confirm by clicking Yes in the alert pop-up that appears. If you are using WebV2, the portal will appear as a pop-up window within the ADSelfService Plus portal.

RSA SecurID

1. On the RSA verification page, enter the passcode provided to you by your administrator.



2. Depending on the configuration in your organization, you will either be verified or required to enter a security code for further authentication. This security code can be generated by your RSA SecurID mobile app, hardware tokens, or received by email or SMS to authenticate yourself.
3. Enter the code in the Enter the code field displayed by ADSelfService Plus.
4. If a SecurID PIN is displayed or generated during authentication, please memorize or securely record it since will not be displayed again. This PIN will be required during subsequent authentication processes.



5. Click Next to verify your identity.

RADIUS authentication

1. Enter the RADIUS password in the text field displayed in ADSelfService Plus.



Note: Please contact your administrator for the RADIUS password linked to your account.

2. If your RADIUS admin has configured challenge-based authentication, you will need to further enter a one-time passcode generated via a hardware token or the RSA SecurID mobile app, or tokens received by email or SMS to complete RADIUS authentication.



3. Click Continue to verify your identity.

Authentication using the ADSelfService Plus app

Push alert authentication

1. You will be sent a push notification requesting you with a request ID, asking you to click Accept the login notification to confirm your identity.



2. Tap the Accept button on the notification to confirm your identity.

Biometric Authentication

1. Open the ADSelfService Plus mobile app.
2. Follow the steps displayed on the ADSelfService Plus webpage.



3. You will be logged in once your identity is verified.

QR code authentication

1. Open the ADSelfService Plus mobile app.
2. Follow the steps given on the webpage.



3. Click Next.

TOTP authentication

1. Log in to the ADSelfService Plus mobile app and click Enrollment > TOTP Authenticator.
2. Follow the steps given on the webpage.



3. You will be logged in once your identity is verified.

Yubikey Authenticator

1. Log in to the ADSelfService Plus user portal on your workstation or open the ADSelfService Plus mobile app on your phone and go to Enrollment > Yubikey Authenticator.
2. Plug in the Yubikey device to your workstation or mobile app (you can also connect using NFC or BLE).
3. If using a workstation, place the cursor in the field below and press/hold the button on the plugged-in Yubikey device depending on the slot configured.



4. The code is automatically updated
5. Click Next to verify your identity.

Zoho OneAuth TOTP

1. In the ADSelfService Plus user portal, select the Zoho OneAuth TOTP authentication method.



2. Enter the code generated by the Zoho OneAuth app in the ADSelfService Plus user portal.

FIDO Passkeys

1. On the MFA verification page, select FIDO Passkeys as your authentication method.



2. You will be asked which type of FIDO passkey you wish to use for MFA. Choose your preferred authentication method depending on the type of device issued to you by your organization.
3. If you want to enroll the machine or device you are attempting enrollment from, or if you are attempting to enroll a smartphone on which you are attempting enrollment, select Device's Built-in Authenticator. The machine or smartphone's inbuilt authenticator will prompt you for identity verification.



4. If you select Security Key, you must use the authenticator on the device you have configured as a security key (either hardware authenticators like YubiKeys or Google Titan keys, or the inbuilt authenticator on a smartphone) to verify your identity.

Note: Authenticators on smartphones like Apple Face ID or Android biometrics can be enrolled as either a Device's Built-in authenticator or as a Security Key via cross-device authentication (CDA). Learn how

However, you cannot enroll the same smartphone as both a built-in authenticator as well as a Security Key. You can register each device as only one type of authenticator.

If a you attempt to access the ADSelfService Plus end-user portal on a smartphone that has already been registered to you as a Security key (roaming authenticator), you need to select 'Security Key' as the passkey type to authenticate and confirm their identity on the same smartphone. You cannot choose 'Device Built-in Authenticator' even though you are both accessing and authenticating to the portal on the same device.



5. You will be logged in upon successful identity verification.