Active Directory Two-Factor Authentication

Posted By Anna on May 30, 2026 | 6 comments

It is hard to manage multiple users and systems, especially when there are not even hundreds, but thousands of them in a network. That’s why businesses and organizations love Microsoft Active Directory. It allows for storing and managing all the information on the organization’s systems, users, their credentials, sites and whatever else you might think of in a network, in one place.

But you must agree that this much of fundamentally important information kept in one place makes Active Directory a tidbit for hackers. And simple password-username verification is far from sufficient to protect it all from attacks. This is why multifactor authentication is especially crucial for Active Directory security. Dynamic Strong Password Authentication (DSPA) solution from Protectimus has it well-covered for you and your users. Adding the second layer of security to all systems and services attached to Active Directory in one go has never been easier.

In this article, we will describe in detail how our two-factor authentication solution for Active Directory works, why ours is the easiest approach to Active Directory MFA, which methods of MFA can be used with it and how to get it running. We will also provide answers to the most asked questions on our solution for the Active Directory multi-factor authentication.

How it works

Protectimus Dynamic Strong Password Authentication (DSPA) operates via direct Active Directory integration and replaces static passwords with dynamic one-time passwords (OTP) generated using the TOTP algorithm. These passwords change automatically according to the policy configured by the administrator and are delivered to users through the Protectimus SMART authenticator app or Protectimus BOT in supported messengers.

As a result of this integration, users authenticate using the current one-time password generated by Protectimus SMART or delivered through Protectimus BOT. Since access to the authenticator app or messenger is protected by a PIN code, password, or biometric verification, the authentication process combines possession of the user’s device with an additional authentication factor.

The company’s Active Directory server administrator can set the time-step, in which the OTP is changed, to 30 seconds or more (for example, for 600 seconds). Besides, DSPA policies can be applied selectively to specific groups of users, allowing administrators to enforce OTP-based authentication only for selected accounts or services.

| Read also: Two-factor authentication for Windows 7, 8, 10

Advantages of this approach to AD 2-factor authentication

1. Advanced Active Directory security

Every regular 2-factor verification arrangement adds the second layer to the endpoints only. As a result, the hackers have a window to bypass 2FA and call the user directory up straightforward. Active Directory domain is easily called up through the Windows command prompt, so the hacker simply needs a user’s credentials (login and password) to act maliciously under their name and no Active Directory 2-factor authentication will be there to stop him.

Protectimus DSPA enables complete directory-level protection and ensures that no one can access Active Directory without a valid dynamic one-time password obtained through Protectimus SMART or Protectimus BOT.

2. Ease of use and maintenance for AD administrators

Another issue that our solution for Active Directory two-factor authentication easily fixes is the need for multiple 2FA solutions for various accounts, services, and platforms. Traditionally the administrators have to implement different MFA solutions for different services that are in use by their company, then install this additional software on every user’s device. Needless to say, all this software has to be maintained and regularly updated. Protectimus DSPA is a brilliant solution for this issue, integrating it with AD extends OTP-based authentication to every service and platform connected to Active Directory.

| Read also: 2FA Security Flaws You Should Know About

What authentication methods are available

As mentioned above, administrators can configure the OTP validity period according to their security requirements. Currently, Protectimus DSPA supports two authentication methods: the Protectimus SMART authenticator app and Protectimus BOT for messengers. Both methods deliver dynamic one-time passwords that can be used for Active Directory authentication.

Access to Protectimus SMART and supported messenger applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor, providing multi-factor authentication without requiring users to remember or manage static passwords.

1. 2FA app

Our free 2FA application Protectimus Smart OTP is available for both Android and iOS and can be used not only for 2-factor authentication Active Directory but for other sites and services protection too. The app allows for setting the OTP change schedule to multiple units of 30 seconds, so you can set it to 30, 60, 90, etc. which makes it the best option for OTP delivery for MFA Active Directory.

2. Protectimus BOT

Protectimus BOT delivers one-time passwords through supported messenger platforms, including Telegram, Viber, and Facebook Messenger. Users receive dynamic OTPs directly in their preferred messenger and use them for Active Directory authentication.

Access to messenger applications can be protected by a device password, PIN code, or biometric verification, providing an additional authentication factor beyond possession of the device itself. This allows organizations to implement multi-factor authentication without requiring dedicated authentication applications.

Protectimus BOT is particularly convenient for organizations that want to simplify user enrollment and avoid deploying additional software while still maintaining a high level of security.

How to set it up

Configuring Protectimus DSPA for Active Directory protection is straightforward and requires only a few steps:

1. Install the Protectimus Platform with the DSPA Component

Install the Protectimus On-Premise Platform using the Windows installer or Docker image. The Protectimus DSPA component is installed automatically.

2. Add a Resource

In the Resources tab, click Add Resource and create a new resource. Specify a resource name and save the configuration.

3. Set Up a User Provider and Synchronize Users

Open the DSPA tab and create a new LDAP User Provider. Configure the connection to your Active Directory or LDAP directory, specify the synchronization attributes, and import users into the Protectimus Platform.

4. Activate the Protectimus DSPA Component

Open the DSPA instance you created and enable it by setting the Enabled parameter to Active.

5. Activate the Users’ Self-Service Portal

To use DSPA, users must have a Protectimus SMART token assigned and activated. Open the resource configuration, navigate to the Self-Service tab, enable the Self-Service Portal, and configure its URL.

Provide the Self-Service Portal link to your users so they can activate their Protectimus SMART tokens. Once activated, users will be able to authenticate with the current one-time password generated by the app.

Alternatively, administrators can assign and activate Protectimus SMART tokens manually.

| Read also: Hardware Tokens for Azure MFA

FAQ on Active Directory two-factor authentication

How much does it cost?

The price depends on the number of users and the selected deployment model. Contact the Protectimus team to receive a quote based on your environment and user count.

What authentication methods can be used with DSPA?

Protectimus DSPA supports two authentication methods: Protectimus SMART OTP and Protectimus BOT for messengers. Users receive dynamic one-time passwords (OTPs) through the authenticator app or supported messengers and use them to authenticate to Active Directory.

Why is DSPA considered multi-factor authentication if users enter only an OTP?

The OTP can only be obtained from Protectimus SMART or Protectimus BOT. Access to these applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor.

Which systems can be protected with DSPA?

DSPA integrates directly with Active Directory and protects authentication at the directory level. As a result, any service that relies on Active Directory authentication can benefit from DSPA protection, including Windows logon, Remote Desktop Services (RDP), Outlook Web App (OWA), ADFS, LDAP-connected applications, and many other systems.

What do I need to start testing DSPA?

To start testing, install the Protectimus On-Premise Platform and configure the DSPA component. Then connect DSPA to your Active Directory environment, synchronize users, and assign Protectimus SMART or Protectimus BOT tokens to users.

Does DSPA work only with Active Directory?

No. Protectimus DSPA can also be used with other LDAP directories and supported user databases, allowing organizations to implement OTP-based authentication directly at the directory level.

Read more:

• Duo Security vs Protectimus
• 4 Reasons Two-Factor Authentication Isn’t a Panacea
• Time Drift in TOTP Hardware Tokens Explained and Solved
• Electronic Visit Verification with Hardware Tokens
• 10 Steps to Eliminate Digital Security Risks in Fintech Project
• Keycloak Multi-Factor Authentication With Hardware Tokens
• Sophos 2FA with Hardware OTP Tokens
• 2FA Chatbots vs. SMS Authentication
• Office 365 MFA Hardware Token
• Man In The Middle Attack Prevention And Detection