Protectimus DSPA
Protectimus DSPA (Dynamic Strong Password Authentication) is the first database security solution that provides two-factor authentication for account protection directly in Active Directory and other user directories (LDAP, databases)
Passwords Just Got Reinvented
No more weak, reused, or stolen passwords.
Deploy Protectimus DSPA and transform the login experience into a truly passwordless authentication flow powered by dynamic OTPs.
Users authenticate with temporary one-time passwords instead of permanent credentials, dramatically reducing the risk of phishing, credential theft, and password-based attacks while keeping access fast and convenient.
Scheduled OTP rotation
The Protectimus DSPA component for Active Directory replaces traditional static passwords with secure one-time passwords generated using the TOTP algorithm. OTP passwords are automatically updated at intervals defined by the administrator, ensuring that users always authenticate with temporary dynamic credentials instead of permanent passwords.
Hassle-free administration
Unlike traditional MFA solutions, Protectimus DSPA removes the complexity of deploying and maintaining additional software on client machines. After integration with Active Directory or any other user directory or database, authentication with OTP passwords is automatically applied across all connected systems, including Winlogon, RDP, OWA, etc.
What problems does Protectimus DSPA solve?
1. Existing MFA solutions protect only part of the Infrastructure
All standard MFA solutions add two-factor authentication only to endpoints. This leaves hackers a chance to attack your infrastructure bypassing two-factor authentication and calling your user directory straightforward. For example, it’s possible to call Active Directory via the Windows command line, and it’s enough to know user login and password to perform an action on their behalf. Using Protectimus DSPA to enable system protection, you can be certain that nobody will have access to AD, LDAP or user accounts in your database without a dynamic OTP password, no matter where the request comes from or is directed.
2. Administrators need to install and support 2FA plugins on multiple platforms
Usually, to configure two-factor authentication for all employees and all the services that the company uses, the administrator must implement several 2FA plugins for different platforms and install additional software on each client machine. Moreover, all this software needs to be constantly updated. After integrating the Protectimus DSPA component with Active Directory, MFA passwords will be required on all services connected to AD (Winlogon, RDP, ADFS, OWA, etc.)
How does it work?
Protectimus integrates directly with Microsoft Active Directory (or any other user directory) to replace traditional static passwords with secure one-time passwords generated using the TOTP algorithm. These passwords constantly change according to a schedule defined by the administrator, turning standard Active Directory authentication into a passwordless login experience.
The administrator defines the one-time password rotation interval, starting from 30 seconds with configurable step-based increases. Password rotation policies can be configured individually for each user, and administrators can choose which user groups are required to use Protectimus Dynamic Strong Password Authentication (DSPA).
As a result, Active Directory users authenticate using one-time passwords instead of permanent static credentials. To generate OTPs, users can use the Protectimus SMART authenticator app or chatbots on Telegram, Viber, or Facebook. Access to the app or messenger can be additionally protected with a PIN code or biometrics, adding an extra layer of security to the authentication process.
OTP tokens to choose from
The Protectimus DSPA component for database protection allows administrators to specify any OTP password change interval in multiples of 30 seconds. The same functionality is available with the Protectimus Smart OTP and Protectimus Bot tokens.
Protectimus Smart app
The free Protectimus Smart OTP app for two-factor authentication is available for iOS and Android. When creating a new TOTP token, users can set their desired time interval in multiples of 30 seconds. This makes it possible to use the Protectimus Smart software token for two-factor authentication in Active Directory, LDAP, and other databases with Protectimus DSPA
Messaging chatbots
One-time password delivery is available through the Protectimus Bot chatbots on Telegram, Viber, and Facebook Messenger. This type of software token is also available at no cost. It allows administrators to configure TOTP-based one-time password generation with any time interval. That makes these chatbots an excellent means of authentication for Protectimus DSPA
On-premise platform or Private cloud
Before implementing the Protectimus Dynamic Strong Password Authentication component, the client will need to install the Protectimus two-factor authentication platform on their premises or in the client's private cloud
On-premise Platform
Private Cloud
Protectimus two-factor authentication server can be also deployed in the client’s private cloud. no matter where the platform is installed, either in your environment or in the private cloud, it supports multidomain environments, clustering, replication, and backup features, as well as it gives the client total control over sensitive data and processes. Before installing the Protectimus authentication platform on the private cloud, make sure the cloud infrastructure you set up fulfills the following technical specifications: Instance type: 2 Core (СPU), 8 GB (MEM); OS for all Instances: Linux; Cloud Disk: 100GB/per month for each Instance; Network Traffic: 1000GB/per month; Load Balancer.
How to set up two-factor authentication in Active Directory
Active Directory two-factor authentication using Protectimus DSPA: setup instructions
Install the platform with the DSPA component
Install the Protectimus On-Premise Platform using the Windows installer (downloadable from this page) or a Docker image. The Protectimus DSPA component will be installed automatically.
Add a Resource
In the Resources tab, click Add Resource. This will take you to the page where you can add a resource. Here, you only need to specify a Resource Name and click Save. The other parameters are optional.
Set Up a User Provider and User Synchronization
In the Protectimus system, log in to your account, go to the DSPA tab, and select Add Task → Add LDAP User Provider. Fill in the details of your user directory, specify the synchronization attributes, import your users into the Protectimus system, and synchronize them with your user directory.
Activate the Protectimus DSPA Component
To activate the Protectimus DSPA component, open the DSPA tab, click on the name of the DSPA instance, and set the Enabled parameter to active.
Activate the Users’ Self-Service Portal
For the Protectimus DSPA component to work, you need: a configured user provider, a synchronized user, a password set for the user, and a token assigned to the user. To let users set passwords and enroll tokens themselves, enable the Users’ Self-Service Portal: click the resource name, open the Self-Service tab, activate self-service, and set its address.
