Active Directory Two-Factor Authentication
It is hard to manage multiple users and systems, especially when there are not even hundreds, but thousands of them in a network. That’s why businesses and organizations love Microsoft Active Directory. It allows for storing and managing all the information on the organization’s systems, users, their credentials, sites and whatever else you might think of in a network, in one place.
But you must agree that this much of fundamentally important information kept in one place makes Active Directory a tidbit for hackers. And simple password-username verification is far from sufficient to protect it all from attacks. This is why multifactor authentication is especially crucial for Active Directory security. Dynamic Strong Password Authentication (DSPA) solution from Protectimus has it well-cowered for you and your users. Adding the second layer of security to all systems and services attached to Active Directory in one go has never been easier.
In this article, we will describe in detail how our two-factor authentication solution for Active Directory works, why ours is the easiest approach to Active Directory MFA, which methods of MFA can be used with it and how to get it running. We will also provide answers to the most asked questions on our solution for the Active Directory multi-factor authentication.
How it works
Protectimus Dynamic Strong Password Authentication (DSPA) operates via direct Active Directory integration, it simply adds a 6-digit dynamic password to the static user password. These 6 symbols are essentially a one-time time-sensitive pass code that is generated with the TOTP algorithm. This one-time password (OTP) is constantly changing.
As a result of the ingenious integration, to get into a Microsoft AD attached account the user needs to enter a combined pass of this configuration — u$erp@ssword123456, the u$erp@ssword part here is the never-changing password devised by the user, admin, or generated by the system itself and the 123456 part is a dynamic OTP generated by Protectimus MFA token.
The company’s Active Directory server administrator can set the time-step, in which the OTP is changed, to 30 seconds or more (for example, for 600 seconds). So the DSPA part (those 6 digits OTPs) of the user passwords constantly change according to the timeline determined by the admin. Besides, teams of users can be made to be, or not be subject to the DSPA element in their static passwords; making the two-factor authentication AD required for the most valuable accounts only.
| Read also: Two-factor authentication for Windows 7, 8, 10
Advantages of this approach to AD 2-factor authentication
1. Advanced Active Directory security
Every regular 2-factor verification arrangement adds the second layer to the endpoints only. As a result, the hackers have a window to bypass 2FA and call the user directory up straightforward. Active Directory domain is easily called up through the Windows command prompt, so the hacker simply needs a user’s credentials (login and password) to act maliciously under their name and no Active Directory 2-factor authentication will be there to stop him.
Two-factor authentication Active Directory solution from Protectimus allows to enable the complete system protection and ensure no-one can get into AD without the additional dynamic OTP.
2. Ease of use and maintenance for AD administrators
Another issue that our solution for Active Directory two-factor authentication easily fixes is the need for multiple 2FA solutions for various accounts, services, and platforms. Traditionally the administrators have to implement different MFA solutions for different services that are in use by their company, then install this additional software on every user’s device. Needless to say, all this software has to be maintained and regularly updated. Protectimus DSPA is a brilliant solution for this issue, integrating it with AD adds Active Directory one-time password to every single service and platform attached to AD.
| Read also: 2FA Security Flaws You Should Know About
What authentication methods are available
As has already been mentioned above — with DSPA the admin can set any time step for the dynamic Active Directory password reset — 30, 60 or even 3000 seconds. So the token that generates and delivers the OTP has to accommodate this feature too. Currently, there are two methods of two-tier authentication with DSPA available — 2FA mobile application Protectimus Smart OTP and custom hardware tokens. The third one — chatbots, is currently in the works and will be released soon.
1. 2FA app
Our free 2FA application Protectimus Smart OTP is available for both Android and iOS and can be used not only for 2-factor authentication Active Directory but for other sites and services protection too. The app allows for setting the OTP change schedule to multiple units of 30 seconds, so you can set it to 30, 60, 90, etc. which makes it the best option for OTP delivery for MFA Active Directory.
2. Hardware tokens
Classic hardware tokens for two-factor authentication come with factory-applied time-lag for the password change, it can be 30 or 60 seconds. Hardware tokens for 2FA Active Directory with any other timestep are available as custom orders only. The price for these custom tokens is a bit higher than those we have for order on the website, chat with us to learn more.
| Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods
How to set it up
Configuring Protectimus platform for Windows Active Directory protection is rather easy and straightforward:
- Install Protectimus on-premise platform and the DSPA component.
Contact us via support@protectimus.com to request the platform with the DSPA component for download.
Continue reading on Protectimus Blog: https://www.protectimus.com/blog/active-directory-two-factor-authentication/
Originally published at https://www.protectimus.com on December 11, 2019.
