<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
How it works<\/strong><\/h2>\n\n\n\nProtectimus Dynamic Strong Password Authentication (DSPA) operates via direct Active Directory integration and replaces static passwords with dynamic one-time passwords (OTP) generated using the TOTP algorithm<\/a>. These passwords change automatically according to the policy configured by the administrator and are delivered to users through the Protectimus SMART authenticator app or Protectimus BOT in supported messengers.<\/p>\n\n\n\nAs a result of this integration, users authenticate using the current one-time password generated by Protectimus SMART or delivered through Protectimus BOT. Since access to the authenticator app or messenger is protected by a PIN code, password, or biometric verification, the authentication process combines possession of the user’s device with an additional authentication factor.<\/p>\n\n\n\n![\"How](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2025\/09\/Group-33342601-1024x1024.png\")
<\/a><\/figure>\n\n\n\nThe company\u2019s Active Directory server administrator can set the time-step, in which the OTP is changed, to 30 seconds or more (for example, for 600 seconds). Besides, DSPA policies can be applied selectively to specific groups of users, allowing administrators to enforce OTP-based authentication only for selected accounts or services.<\/p>\n\n\n\n
| Read also:<\/span> Two-factor authentication for Windows 7, 8, 10<\/a><\/p>\n\n\n\n<\/p>\n\n\n\n
Advantages of this approach to AD 2-factor authentication<\/strong><\/h2>\n\n\n\n1. Advanced Active Directory security<\/h3>\n\n\n\n
Every regular 2-factor verification arrangement adds the second layer to the endpoints only. As a result, the hackers have a window to bypass 2FA and call the user directory up straightforward. Active Directory domain is easily called up through the Windows command prompt, so the hacker simply needs a user\u2019s credentials (login and password) to act maliciously under their name and no Active Directory 2-factor authentication will be there to stop him.<\/p>\n\n\n\n
Protectimus DSPA enables complete directory-level protection and ensures that no one can access Active Directory without a valid dynamic one-time password obtained through Protectimus SMART or Protectimus BOT.<\/p>\n\n\n\n
2. Ease of use and maintenance for AD administrators<\/h3>\n\n\n\n
Another issue that our solution for Active Directory two-factor authentication easily fixes is the need for multiple 2FA solutions for various accounts, services, and platforms. Traditionally the administrators have to implement different MFA solutions for different services that are in use by their company, then install this additional software on every user\u2019s device. Needless to say, all this software has to be maintained and regularly updated. Protectimus DSPA is a brilliant solution for this issue, integrating it with AD extends OTP-based authentication to every service and platform connected to Active Directory.<\/p>\n\n\n\n
| Read also:<\/span> 2FA Security Flaws You Should Know About<\/a><\/p>\n\n\n\n<\/p>\n\n\n\n
What authentication methods are available<\/strong><\/h2>\n\n\n\nAs mentioned above, administrators can configure the OTP validity period according to their security requirements. Currently, Protectimus DSPA supports two authentication methods: the Protectimus SMART authenticator app and Protectimus BOT for messengers. Both methods deliver dynamic one-time passwords that can be used for Active Directory authentication.<\/p>\n\n\n\n
Access to Protectimus SMART and supported messenger applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor, providing multi-factor authentication without requiring users to remember or manage static passwords.<\/p>\n\n\n\n
1. 2FA app<\/h3>\n\n\n\n
Our free 2FA application<\/a> Protectimus Smart OTP is available for both Android and iOS and can be used not only for 2-factor authentication Active Directory but for other sites and services protection too. The app allows for setting the OTP change schedule to multiple units of 30 seconds, so you can set it to 30, 60, 90, etc. which makes it the best option for OTP delivery for MFA Active Directory.<\/p>\n\n\n\n2. Protectimus BOT<\/h3>\n\n\n\n
Protectimus BOT delivers one-time passwords through supported messenger platforms, including Telegram, Viber, and Facebook Messenger. Users receive dynamic OTPs directly in their preferred messenger and use them for Active Directory authentication.<\/p>\n\n\n\n
Access to messenger applications can be protected by a device password, PIN code, or biometric verification, providing an additional authentication factor beyond possession of the device itself. This allows organizations to implement multi-factor authentication without requiring dedicated authentication applications.<\/p>\n\n\n\n
Protectimus BOT is particularly convenient for organizations that want to simplify user enrollment and avoid deploying additional software while still maintaining a high level of security.<\/p>\n\n\n\n
<\/p>\n\n\n\n
How to set it up<\/strong><\/h2>\n\n\n\nConfiguring Protectimus DSPA for Active Directory protection is straightforward and requires only a few steps:<\/p>\n\n\n\n
1. Install the Protectimus Platform with the DSPA Component<\/h3>\n\n\n\n
Install the Protectimus On-Premise Platform using the Windows installer or Docker image. The Protectimus DSPA component is installed automatically.<\/p>\n\n\n\n
2. Add a Resource<\/h3>\n\n\n\n
In the Resources tab, click Add Resource and create a new resource. Specify a resource name and save the configuration.<\/p>\n\n\n\n
3. Set Up a User Provider and Synchronize Users<\/h3>\n\n\n\n
Open the DSPA tab and create a new LDAP User Provider. Configure the connection to your Active Directory or LDAP directory, specify the synchronization attributes, and import users into the Protectimus Platform.<\/p>\n\n\n\n
4. Activate the Protectimus DSPA Component<\/h3>\n\n\n\n
Open the DSPA instance you created and enable it by setting the Enabled parameter to Active.<\/p>\n\n\n\n
5. Activate the Users\u2019 Self-Service Portal<\/h3>\n\n\n\n
To use DSPA, users must have a Protectimus SMART token assigned and activated. Open the resource configuration, navigate to the Self-Service tab, enable the Self-Service Portal, and configure its URL.<\/p>\n\n\n\n
Provide the Self-Service Portal link to your users so they can activate their Protectimus SMART tokens. Once activated, users will be able to authenticate with the current one-time password generated by the app.<\/p>\n\n\n\n
Alternatively, administrators can assign and activate Protectimus SMART tokens manually.<\/p>\n\n\n\n
<\/p>\n\n\n\n![\"How](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2025\/09\/protectimus-dspa-setup-1024x320.png\")
<\/a><\/figure>\n\n\n\n| Read also:<\/span> Hardware Tokens for Azure MFA<\/a><\/p>\n\n\n\n<\/p>\n\n\n\n
FAQ on Active Directory two-factor authentication <\/strong><\/h2>\n\n\n\nHow much does it cost?<\/h3>\n\n\n\n
The price depends on the number of users and the selected deployment model. Contact the Protectimus team to receive a quote based on your environment and user count.<\/p>\n\n\n\n
What authentication methods can be used with DSPA?<\/h3>\n\n\n\n
Protectimus DSPA supports two authentication methods: Protectimus SMART OTP and Protectimus BOT for messengers. Users receive dynamic one-time passwords (OTPs) through the authenticator app or supported messengers and use them to authenticate to Active Directory.<\/p>\n\n\n\n
Why is DSPA considered multi-factor authentication if users enter only an OTP?<\/h3>\n\n\n\n
The OTP can only be obtained from Protectimus SMART or Protectimus BOT. Access to these applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor.<\/p>\n\n\n\n
Which systems can be protected with DSPA?<\/h3>\n\n\n\n
DSPA integrates directly with Active Directory and protects authentication at the directory level. As a result, any service that relies on Active Directory authentication can benefit from DSPA protection, including Windows logon, Remote Desktop Services (RDP), Outlook Web App (OWA), ADFS, LDAP-connected applications, and many other systems.<\/p>\n\n\n\n
What do I need to start testing DSPA?<\/h3>\n\n\n\n
To start testing, install the Protectimus On-Premise Platform and configure the DSPA component. Then connect DSPA to your Active Directory environment, synchronize users, and assign Protectimus SMART or Protectimus BOT tokens to users.<\/p>\n\n\n\n
Does DSPA work only with Active Directory?<\/h3>\n\n\n\n
No. Protectimus DSPA can also be used with other LDAP directories and supported user databases, allowing organizations to implement OTP-based authentication directly at the directory level.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Read more:<\/strong><\/h2>\n\n\n\n\n- Duo Security vs Protectimus<\/a><\/li>\n\n\n\n
- 4 Reasons Two-Factor Authentication Isn\u2019t a Panacea<\/a><\/li>\n\n\n\n
- Time Drift in TOTP Hardware Tokens Explained and Solved<\/a><\/li>\n\n\n\n
- Electronic Visit Verification with Hardware Tokens<\/a><\/li>\n\n\n\n
- 10 Steps to Eliminate Digital Security Risks in Fintech Project<\/a><\/li>\n\n\n\n
- Keycloak Multi-Factor Authentication With Hardware Tokens<\/a><\/li>\n\n\n\n
- Sophos 2FA with Hardware OTP Tokens<\/a><\/li>\n\n\n\n
- 2FA Chatbots vs. SMS Authentication<\/a><\/li>\n\n\n\n
- Office 365 MFA Hardware Token<\/a><\/li>\n\n\n\n
- Man In The Middle Attack Prevention And Detection<\/a><\/li>\n<\/ul>\n<\/span>","protected":false},"excerpt":{"rendered":"
It is hard to manage multiple users and systems, especially when there are not even hundreds, but thousands of them in a network. That\u2019s why businesses and organizations love Microsoft Active Directory. It allows for storing and managing all the information on the organization\u2019s systems, users, their credentials, sites and whatever else you might think […]<\/p>\n","protected":false},"author":6,"featured_media":5812,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[9,15],"tags":[16,1046,1048,12,1050,120,476,194,1052,99,436],"class_list":["post-5787","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-protectimus-products","category-rd","tag-2fa","tag-active-directory-en","tag-azure-mfa-en","tag-mfa","tag-microsoft-en","tag-multifactor-authentication","tag-office-365-en","tag-protectimus-en","tag-protectimus-dspa-en","tag-two-factor-authentication","tag-windows"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t
As a result of this integration, users authenticate using the current one-time password generated by Protectimus SMART or delivered through Protectimus BOT. Since access to the authenticator app or messenger is protected by a PIN code, password, or biometric verification, the authentication process combines possession of the user’s device with an additional authentication factor.<\/p>\n\n\n\n The company\u2019s Active Directory server administrator can set the time-step, in which the OTP is changed, to 30 seconds or more (for example, for 600 seconds). Besides, DSPA policies can be applied selectively to specific groups of users, allowing administrators to enforce OTP-based authentication only for selected accounts or services.<\/p>\n\n\n\n | Read also:<\/span> Two-factor authentication for Windows 7, 8, 10<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n Every regular 2-factor verification arrangement adds the second layer to the endpoints only. As a result, the hackers have a window to bypass 2FA and call the user directory up straightforward. Active Directory domain is easily called up through the Windows command prompt, so the hacker simply needs a user\u2019s credentials (login and password) to act maliciously under their name and no Active Directory 2-factor authentication will be there to stop him.<\/p>\n\n\n\n Protectimus DSPA enables complete directory-level protection and ensures that no one can access Active Directory without a valid dynamic one-time password obtained through Protectimus SMART or Protectimus BOT.<\/p>\n\n\n\n Another issue that our solution for Active Directory two-factor authentication easily fixes is the need for multiple 2FA solutions for various accounts, services, and platforms. Traditionally the administrators have to implement different MFA solutions for different services that are in use by their company, then install this additional software on every user\u2019s device. Needless to say, all this software has to be maintained and regularly updated. Protectimus DSPA is a brilliant solution for this issue, integrating it with AD extends OTP-based authentication to every service and platform connected to Active Directory.<\/p>\n\n\n\n | Read also:<\/span> 2FA Security Flaws You Should Know About<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n As mentioned above, administrators can configure the OTP validity period according to their security requirements. Currently, Protectimus DSPA supports two authentication methods: the Protectimus SMART authenticator app and Protectimus BOT for messengers. Both methods deliver dynamic one-time passwords that can be used for Active Directory authentication.<\/p>\n\n\n\n Access to Protectimus SMART and supported messenger applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor, providing multi-factor authentication without requiring users to remember or manage static passwords.<\/p>\n\n\n\n Our free 2FA application<\/a> Protectimus Smart OTP is available for both Android and iOS and can be used not only for 2-factor authentication Active Directory but for other sites and services protection too. The app allows for setting the OTP change schedule to multiple units of 30 seconds, so you can set it to 30, 60, 90, etc. which makes it the best option for OTP delivery for MFA Active Directory.<\/p>\n\n\n\n Protectimus BOT delivers one-time passwords through supported messenger platforms, including Telegram, Viber, and Facebook Messenger. Users receive dynamic OTPs directly in their preferred messenger and use them for Active Directory authentication.<\/p>\n\n\n\n Access to messenger applications can be protected by a device password, PIN code, or biometric verification, providing an additional authentication factor beyond possession of the device itself. This allows organizations to implement multi-factor authentication without requiring dedicated authentication applications.<\/p>\n\n\n\n Protectimus BOT is particularly convenient for organizations that want to simplify user enrollment and avoid deploying additional software while still maintaining a high level of security.<\/p>\n\n\n\n <\/p>\n\n\n\n Configuring Protectimus DSPA for Active Directory protection is straightforward and requires only a few steps:<\/p>\n\n\n\n Install the Protectimus On-Premise Platform using the Windows installer or Docker image. The Protectimus DSPA component is installed automatically.<\/p>\n\n\n\n In the Resources tab, click Add Resource and create a new resource. Specify a resource name and save the configuration.<\/p>\n\n\n\n Open the DSPA tab and create a new LDAP User Provider. Configure the connection to your Active Directory or LDAP directory, specify the synchronization attributes, and import users into the Protectimus Platform.<\/p>\n\n\n\n Open the DSPA instance you created and enable it by setting the Enabled parameter to Active.<\/p>\n\n\n\n To use DSPA, users must have a Protectimus SMART token assigned and activated. Open the resource configuration, navigate to the Self-Service tab, enable the Self-Service Portal, and configure its URL.<\/p>\n\n\n\n Provide the Self-Service Portal link to your users so they can activate their Protectimus SMART tokens. Once activated, users will be able to authenticate with the current one-time password generated by the app.<\/p>\n\n\n\n Alternatively, administrators can assign and activate Protectimus SMART tokens manually.<\/p>\n\n\n\n <\/p>\n\n\n\n | Read also:<\/span> Hardware Tokens for Azure MFA<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n The price depends on the number of users and the selected deployment model. Contact the Protectimus team to receive a quote based on your environment and user count.<\/p>\n\n\n\n Protectimus DSPA supports two authentication methods: Protectimus SMART OTP and Protectimus BOT for messengers. Users receive dynamic one-time passwords (OTPs) through the authenticator app or supported messengers and use them to authenticate to Active Directory.<\/p>\n\n\n\n The OTP can only be obtained from Protectimus SMART or Protectimus BOT. Access to these applications is protected by a PIN code, password, or biometric verification configured on the user’s device. As a result, authentication combines possession of the device with an additional authentication factor.<\/p>\n\n\n\n DSPA integrates directly with Active Directory and protects authentication at the directory level. As a result, any service that relies on Active Directory authentication can benefit from DSPA protection, including Windows logon, Remote Desktop Services (RDP), Outlook Web App (OWA), ADFS, LDAP-connected applications, and many other systems.<\/p>\n\n\n\n To start testing, install the Protectimus On-Premise Platform and configure the DSPA component. Then connect DSPA to your Active Directory environment, synchronize users, and assign Protectimus SMART or Protectimus BOT tokens to users.<\/p>\n\n\n\n No. Protectimus DSPA can also be used with other LDAP directories and supported user databases, allowing organizations to implement OTP-based authentication directly at the directory level.<\/p>\n\n\n\n <\/p>\n\n\n\n It is hard to manage multiple users and systems, especially when there are not even hundreds, but thousands of them in a network. That\u2019s why businesses and organizations love Microsoft Active Directory. It allows for storing and managing all the information on the organization\u2019s systems, users, their credentials, sites and whatever else you might think […]<\/p>\n","protected":false},"author":6,"featured_media":5812,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[9,15],"tags":[16,1046,1048,12,1050,120,476,194,1052,99,436],"class_list":["post-5787","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-protectimus-products","category-rd","tag-2fa","tag-active-directory-en","tag-azure-mfa-en","tag-mfa","tag-microsoft-en","tag-multifactor-authentication","tag-office-365-en","tag-protectimus-en","tag-protectimus-dspa-en","tag-two-factor-authentication","tag-windows"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t<\/a><\/figure>\n\n\n\nAdvantages of this approach to AD 2-factor authentication<\/strong><\/h2>\n\n\n\n
1. Advanced Active Directory security<\/h3>\n\n\n\n
2. Ease of use and maintenance for AD administrators<\/h3>\n\n\n\n
What authentication methods are available<\/strong><\/h2>\n\n\n\n
1. 2FA app<\/h3>\n\n\n\n
2. Protectimus BOT<\/h3>\n\n\n\n
How to set it up<\/strong><\/h2>\n\n\n\n
1. Install the Protectimus Platform with the DSPA Component<\/h3>\n\n\n\n
2. Add a Resource<\/h3>\n\n\n\n
3. Set Up a User Provider and Synchronize Users<\/h3>\n\n\n\n
4. Activate the Protectimus DSPA Component<\/h3>\n\n\n\n
5. Activate the Users\u2019 Self-Service Portal<\/h3>\n\n\n\n
<\/a><\/figure>\n\n\n\nFAQ on Active Directory two-factor authentication <\/strong><\/h2>\n\n\n\n
How much does it cost?<\/h3>\n\n\n\n
What authentication methods can be used with DSPA?<\/h3>\n\n\n\n
Why is DSPA considered multi-factor authentication if users enter only an OTP?<\/h3>\n\n\n\n
Which systems can be protected with DSPA?<\/h3>\n\n\n\n
What do I need to start testing DSPA?<\/h3>\n\n\n\n
Does DSPA work only with Active Directory?<\/h3>\n\n\n\n
Read more:<\/strong><\/h2>\n\n\n\n
\n