ManageEngine, the real-time IT management company, announced that it is rolling out two-factor authentication (TFA) support for Windows logins in†ADSelfService Plus, its integrated Active Directory self-service password management, and single sign-on solution. With this support, ADSelfService Plus enables organizations to add an extra layer of protection for critical resources that are accessed by users through Windows-based machines. ADSelfService Plus seamlessly integrates with Windows client (Vista and above) and server (2008 and above) operating systems to provide users a simple and secure login experience across both local and remote desktop logins.
Most organizations enforce complex passwords as a common defense against cyber-attacks. However, complex passwords are hard to remember, so many employees resort to insecure practices like writing passwords down or storing them in plaintext. Even if an organization properly implements complex passwords, it may still not be enough to stay ahead of the evolution of password cracking programs. According to a recent†Forrester report, almost one-third of security breaches are caused by stolen passwords. Knowing the risks associated with passwords, IT compliance laws such as†PCI DSS†have explicitly prohibited the use of passwords as the only authentication mechanism.
Mitigating Poor Password Behavior with TFA
TFA ensures that users are authenticated twice — once through a password and again through a fingerprint or an OTP sent to a smartphone — before being granted access to valuable corporate resources.
“With better security mechanisms like TFA available, there’s no reason for organizations to verify users’ identities using passwords alone. TFA creates a two-layered mechanism that is almost impossible for an attacker to bypass,” said Parthiban Paramasivam, product manager at ManageEngine. “Now that we’ve broken ground on TFA for Windows logins, we’re also working on adding contextual authentication that factors in a user’s geolocation, IP address, local time, and device, all to further enhance IT security.”
Highlights of ADSelfService Plus TFA for Windows Logins
ADSelfService Plus comes with a built-in login agent for Windows, which forces users to undergo TFA during both local and remote desktop logins. Users have to first enter their Active Directory domain password and then authenticate themselves using one of the supported second factors.
- Supports multiple authentication mechanisms:†Supports email and SMS-based passcodes, Duo Security, RSA SecurID, and RADIUS as the second factor of authentication.
- Enables granularly-enforced TFA:†Enforces TFA for all users across an organization or only for select individuals — such as those that have elevated privileges and are at higher risk of security attacks — through OU and group-based policies.
- Helps organizations comply with PCI DSS and the GDPR:†Supports compliance with the latest version of PCI DSS (3.2), which makes TFA mandatory. The European Union Agency for Network and Information Security (ENISA) recommends implementing TFA as a technical measure to comply with the GDPR.
Pricing and Availability
Pricing for ADSelfService Plus with TFA for Windows starts at $1,195. A fully functional, 30-day trial version is also available for download at†www.manageengine.com/products/self-service-password/download.html.
ADSelfService Plus is free for up to 50 users. The Free edition supports all the features of the Professional edition, including Windows TFA, single sign-on, and password self-service, and can be downloaded at†www.manageengine.com/products/self-service-password/download-free.html.