{"id":5787,"date":"2023-08-02T19:35:11","date_gmt":"2023-08-02T16:35:11","guid":{"rendered":"https:\/\/www.protectimus.com\/blog\/?p=5787"},"modified":"2024-11-29T12:13:49","modified_gmt":"2024-11-29T09:13:49","slug":"active-directory-two-factor-authentication","status":"publish","type":"post","link":"https:\/\/www.protectimus.com\/blog\/active-directory-two-factor-authentication\/","title":{"rendered":"Active Directory Two-Factor Authentication"},"content":{"rendered":"\n

It is hard to manage multiple users and systems, especially when there are not even hundreds, but thousands of them in a network. That\u2019s why businesses and organizations love Microsoft Active Directory. It allows for storing and managing all the information on the organization\u2019s systems, users, their credentials, sites and whatever else you might think of in a network, in one place.<\/p>\n\n\n\n

But you must agree that this much of fundamentally important information kept in one place makes Active Directory a tidbit for hackers. And simple password-username verification is far from sufficient to protect it all from attacks. This is why multifactor authentication is especially crucial for Active Directory security. Dynamic Strong Password Authentication (DSPA) solution from Protectimus has it well-cowered for you and your users. Adding the second layer of security to all systems and services attached to Active Directory in one go has never been easier.<\/p>\n\n\n\n

In this article, we will describe in detail how our two-factor authentication solution for Active Directory<\/a> works, why ours is the easiest approach to Active Directory MFA, which methods of MFA can be used with it and how to get it running. We will also provide answers to the most asked questions on our solution for the Active Directory multi-factor authentication.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Download component for Active Directory 2FA<\/a><\/div>\n\n\n\n

<\/p>\n\n\n\n

How it works<\/strong><\/h2>\n\n\n\n

Protectimus Dynamic Strong Password Authentication (DSPA) operates via direct Active Directory integration, it simply adds a 6-digit dynamic password to the static user password. These 6 symbols are essentially a one-time time-sensitive pass code that is generated with the TOTP algorithm<\/a>. This one-time password (OTP) is constantly changing.<\/p>\n\n\n\n

As a result of the ingenious integration, to get into a Microsoft AD attached account the user needs to enter a combined pass of this configuration \u2014 u$erp@ssword123456, the u$erp@ssword part here is the never-changing password devised by the user, admin, or generated by the system itself and the 123456 part is a dynamic OTP generated by Protectimus MFA token.<\/p>\n\n\n\n

\"Protectimus<\/figure>\n\n\n\n

The company\u2019s Active Directory server administrator can set the time-step, in which the OTP is changed, to 30 seconds or more (for example, for 600 seconds). So the DSPA part (those 6 digits OTPs) of the user passwords constantly change according to the timeline determined by the admin. Besides, teams of users can be made to be, or not be subject to the DSPA element in their static passwords; making the two-factor authentication AD required for the most valuable accounts only.<\/p>\n\n\n\n

| Read also:<\/span> Two-factor authentication for Windows 7, 8, 10<\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

Advantages of this approach to AD 2-factor authentication<\/strong><\/h2>\n\n\n\n

1. Advanced Active Directory security<\/h3>\n\n\n\n

Every regular 2-factor verification arrangement adds the second layer to the endpoints only. As a result, the hackers have a window to bypass 2FA and call the user directory up straightforward. Active Directory domain is easily called up through the Windows command prompt, so the hacker simply needs a user\u2019s credentials (login and password) to act maliciously under their name and no Active Directory 2-factor authentication will be there to stop him.<\/p>\n\n\n\n

Two-factor authentication Active Directory solution from Protectimus allows to enable the complete system protection and ensure no-one can get into AD without the additional dynamic OTP.<\/p>\n\n\n\n

2. Ease of use and maintenance for AD administrators<\/h3>\n\n\n\n

Another issue that our solution for Active Directory two-factor authentication easily fixes is the need for multiple 2FA solutions for various accounts, services, and platforms. Traditionally the administrators have to implement different MFA solutions for different services that are in use by their company, then install this additional software on every user\u2019s device. Needless to say, all this software has to be maintained and regularly updated. Protectimus DSPA is a brilliant solution for this issue, integrating it with AD adds Active Directory one-time password to every single service and platform attached to AD.<\/p>\n\n\n\n

| Read also:<\/span> 2FA Security Flaws You Should Know About<\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

What authentication methods are available<\/strong><\/h2>\n\n\n\n

As has already been mentioned above \u2014 with DSPA the admin can set any time step for the dynamic Active Directory password reset – 30, 60 or even 3000 seconds. So the token that generates and delivers the OTP has to accommodate this feature too. Currently, there are two methods of two-tier authentication with DSPA available \u2014 2FA mobile application Protectimus Smart OTP and custom hardware tokens. The third one \u2014 chatbots, is currently in the works and will be released soon.<\/p>\n\n\n\n

1. 2FA app<\/h3>\n\n\n\n

Our free 2FA application<\/a> Protectimus Smart OTP is available for both Android and iOS and can be used not only for 2-factor authentication Active Directory but for other sites and services protection too. The app allows for setting the OTP change schedule to multiple units of 30 seconds, so you can set it to 30, 60, 90, etc. which makes it the best option for OTP delivery for MFA Active Directory.<\/p>\n\n\n\n

\n