ManageEngine announced that it is rolling out two-factor authentication (TFA) support for Windows logons in ADSelfService Plus, its integrated active directory self-service password management and single sign-on solution.
With this support, ADSelfService Plus enables organizations to add an extra layer of protection for critical resources that are accessed by users through Windows-based machines.
ADSelfService Plus integrates with Windows client (Vista and above) and server (2008 and above) operating systems to provide users a secure logon across both local and remote desktop logons.
Most organizations enforce complex passwords as a common defense against cyberattacks. However, complex passwords are hard to remember, so many employees resort to insecure practices like writing passwords down or storing them in plaintext.
Even if an organization properly implements complex passwords, it may still not be enough to stay ahead of the evolution of password cracking programs. According to a recent Forrester reporti, almost one third of security breaches are caused by stolen passwords.
Knowing the risks associated with passwords, IT compliance laws such as PCI DSS have prohibited the use of passwords as the only authentication mechanism.
Mitigating poor password behavior with TFA
TFA ensures that users are authenticated twice — once through a password and again through a fingerprint or an OTP sent to a smartphone — before being granted access to valuable corporate resources.
“With better security mechanisms like TFA available, there’s no reason for organizations to verify users’ identities using passwords alone. TFA creates a two-layered mechanism that is almost impossible for an attacker to bypass,” said Parthiban Paramasivam, product manager at ManageEngine.
“Now that we’ve broken ground on TFA for Windows logons, we’re also working on adding contextual authentication that factors in a user’s geolocation, IP address, local time, and device, all to further enhance IT security.”
Highlights of ADSelfService Plus TFA for Windows logons
ADSelfService Plus comes with a built-in logon agent for Windows, which forces users to undergo TFA during both local and remote desktop logons. Users have to first enter their active directory domain password and then authenticate themselves using one of the supported second factors.
- Supports multiple authentication mechanisms: Supports email and SMS-based passcodes, Duo Security, RSA SecurID, and RADIUS as the second factor of authentication.
- Enables granularly-enforced TFA: Enforces TFA for all users across an organization or only for select individuals — such as those that have elevated privileges and are at higher risk of security attacks — through OU and group-based policies.
- Helps organizations comply with PCI DSS and the GDPR: Supports compliance with the latest version of PCI DSS (3.2), which makes TFA mandatory. The European Union Agency for Network and Information Security (ENISA) recommends implementing TFA as a technical measure to comply with the GDPR.