{"id":16945,"date":"2026-06-01T11:09:10","date_gmt":"2026-06-01T11:09:10","guid":{"rendered":"https:\/\/www.protectimus.com\/?page_id=16945"},"modified":"2026-06-03T16:47:47","modified_gmt":"2026-06-03T16:47:47","slug":"on-prem-mfa","status":"publish","type":"page","link":"https:\/\/www.protectimus.com\/uk\/on-prem-mfa\/","title":{"rendered":"On-Premise MFA"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"16945\" class=\"elementor elementor-16945\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-223acb9 padded e-flex e-con-boxed e-con e-parent\" data-id=\"223acb9\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e4740cc elementor-widget elementor-widget-heading\" data-id=\"e4740cc\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">On-Premise MFA: Complete Guide to Self-Hosted Multi-Factor Authentication (2026)<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b4a66c0 e-con-full e-flex e-con e-child\" data-id=\"b4a66c0\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-0870f66 e-con-full e-flex e-con e-child\" data-id=\"0870f66\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e128a97 elementor-widget elementor-widget-text-editor\" data-id=\"e128a97\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cloud-based authentication is the path of least resistance for most organizations. Faster to deploy, no infrastructure to maintain, someone else&#8217;s problem when it breaks at 2 AM. For a significant portion of enterprises, that trade-off is perfectly acceptable.<\/span><\/p><p><span style=\"font-weight: 400;\">For the rest \u2014 those operating under GDPR, DORA, NIS2, PCI DSS, or HIPAA, those running air-gapped networks in defense or critical infrastructure, those whose compliance auditors ask uncomfortable questions about where authentication data actually lives \u2014 the calculus looks different. When users authenticate to systems containing cardholder data or electronic protected health information, authentication data often falls under strict compliance and data residency requirements. In a cloud MFA deployment, that data leaves your network. In an on-premise deployment, it doesn&#8217;t.<\/span><\/p><p><span style=\"font-weight: 400;\">This guide explains how on-premise MFA architecture works, why it is still required in 2026 for organizations under strict compliance or network isolation constraints, and how it compares with cloud and private-cloud alternatives. For Protectimus product specifics \u2014 pricing, deployment specs, supported tokens, and demo \u2014 see the <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><span style=\"font-weight: 400;\">Protectimus On-Premise MFA Platform<\/span><\/a><span style=\"font-weight: 400;\"> page.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-20c72f6 elementor-widget elementor-widget-html\" data-id=\"20c72f6\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"BreadcrumbList\",\r\n  \"itemListElement\": [\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 1,\r\n      \"name\": \"Home\",\r\n      \"item\": \"https:\/\/protectimus.com\/\"\r\n    },\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 2,\r\n      \"name\": \"Solutions\",\r\n      \"item\": \"https:\/\/protectimus.com\/solutions\/\"\r\n    },\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 3,\r\n      \"name\": \"On-Premise MFA\",\r\n      \"item\": \"https:\/\/protectimus.com\/on-prem-mfa\/\"\r\n    }\r\n  ]\r\n}\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-42bfc14 e-con-full e-flex e-con e-child\" data-id=\"42bfc14\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6818e9e elementor-widget elementor-widget-heading\" data-id=\"6818e9e\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Table of Contents<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-282e74f elementor-widget elementor-widget-text-editor\" data-id=\"282e74f\" data-element_type=\"widget\" id=\"why-on-premise-mfa-matters-2026\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol>\n \t<li><a href=\"#why-on-premise-mfa-matters-2026\">Why On-Premise MFA Matters in 2026<\/a><\/li>\n \t<li><a href=\"#on-premise-mfa-vs-cloud-mfa-vs-private-cloud\">On-Premise MFA vs Cloud MFA vs Private Cloud<\/a><\/li>\n \t<li><a href=\"#how-protectimus-on-premise-mfa-works\">How Protectimus On-Premise MFA Works<\/a><\/li>\n \t<li><a href=\"#enterprise-features-clustering-ha-multidomain-ad\">Enterprise Features: Clustering, HA, Multidomain AD<\/a><\/li>\n \t<li><a href=\"#supported-mfa-methods\">Supported MFA Methods<\/a><\/li>\n \t<li><a href=\"#what-services-can-be-protected\">What Services Can Be Protected<\/a><\/li>\n \t<li><a href=\"#deployment-requirements\">Deployment Requirements<\/a><\/li>\n \t<li><a href=\"#industry-use-cases-compliance\">Industry Use Cases &amp; Compliance<\/a><\/li>\n \t<li><a href=\"#faq\">FAQ<\/a><\/li>\n \t<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\n<\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b904199 padded e-flex e-con-boxed e-con e-parent\" data-id=\"b904199\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-1b1c9bb e-con-full e-flex e-con e-child\" data-id=\"1b1c9bb\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f07f411 elementor-widget elementor-widget-heading\" data-id=\"f07f411\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Quick Answer<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-54d9acf elementor-widget elementor-widget-text-editor\" data-id=\"54d9acf\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On-premise MFA is a self-hosted authentication architecture where the OTP validation engine, user database, token secrets, and audit logs all run inside your own infrastructure \u2014 physical servers, virtualized environments, or private cloud. No authentication request leaves your network.<\/p><p>This guide explains why regulated industries still choose this model in 2026, how the architecture works, what it protects, and how it compares with cloud-based alternatives.<\/p><p>For Protectimus product specifics \u2014 pricing, supported tokens, deployment specs, and demo \u2014 see the<br \/><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><strong>Protectimus On-Premise MFA Platform \u2192<\/strong><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cdef92e padded e-flex e-con-boxed e-con e-parent\" data-id=\"cdef92e\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56c84d1 elementor-widget elementor-widget-heading\" data-id=\"56c84d1\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Key facts\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bff780b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"bff780b\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d391a8f e-grid e-con-boxed e-con e-child\" data-id=\"d391a8f\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-64a96a2 border-left e-flex e-con-boxed e-con e-child\" data-id=\"64a96a2\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4dfef98 elementor-widget elementor-widget-heading\" data-id=\"4dfef98\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">99.9% of attacks blocked by MFA<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0cc1bea elementor-widget elementor-widget-heading\" data-id=\"0cc1bea\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Microsoft<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f5e29e2 elementor-widget elementor-widget-text-editor\" data-id=\"f5e29e2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Microsoft reports that MFA blocks over 99.9% of account compromise attacks \u2014 the single highest-impact control against credential-based intrusions. (<\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/corporate-responsibility\/cybersecurity\/microsoft-digital-defense-report-2025\/\"><span style=\"font-weight: 400;\">Microsoft Digital Defense Report<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5947b8 border-left e-flex e-con-boxed e-con e-child\" data-id=\"f5947b8\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fa74c1f elementor-hidden-desktop elementor-hidden-tablet elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"fa74c1f\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47e43b7 elementor-widget elementor-widget-heading\" data-id=\"47e43b7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">$4.4M average breach cost in 2025<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb629a4 elementor-widget elementor-widget-heading\" data-id=\"fb629a4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">IBM <\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085769 elementor-widget elementor-widget-text-editor\" data-id=\"8085769\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The global average cost of a data breach reached $4.44 million in 2025, while US organizations hit an all-time high of $10.22 million (<\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.ibm.com\/reports\/data-breach\"><span style=\"font-weight: 400;\">IBM Cost of a Data Breach Report 2025<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c6c866e elementor-hidden-desktop elementor-hidden-tablet elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"c6c866e\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5c0d1fa border-left e-flex e-con-boxed e-con e-child\" data-id=\"5c0d1fa\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d45db87 elementor-widget elementor-widget-heading\" data-id=\"d45db87\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">22% of breaches via credential abuse<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-344d455 elementor-widget elementor-widget-heading\" data-id=\"344d455\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Verizon<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a4d317 elementor-widget elementor-widget-text-editor\" data-id=\"3a4d317\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Credential abuse was the initial access vector in 22% of breaches; 88% of Basic Web Application attacks involved stolen credentials. (<a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\">Verizon 2026 Data Breach Investigations Report<\/a>)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0ae1e9a padded e-flex e-con-boxed e-con e-parent\" data-id=\"0ae1e9a\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e899921 elementor-widget elementor-widget-heading\" data-id=\"e899921\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Key Takeaways<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-86d1b8b elementor-widget elementor-widget-spacer\" data-id=\"86d1b8b\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9d5e935 e-grid e-con-full e-con e-child\" data-id=\"9d5e935\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-12e9470 e-con-full e-flex e-con e-child\" data-id=\"12e9470\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8644d62 elementor-widget elementor-widget-image\" data-id=\"8644d62\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"57\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2026\/05\/plat_new.svg\" class=\"attachment-full size-full wp-image-16521\" alt=\"On-premise MFA platform icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-317cba7 elementor-widget elementor-widget-heading\" data-id=\"317cba7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Authentication Stays On-Prem<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d96a026 elementor-widget elementor-widget-text-editor\" data-id=\"d96a026\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">All OTP validation, token secrets, and audit logs run inside your own network. No external dependency for authentication processing.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-68b5ae8 e-con-full e-flex e-con e-child\" data-id=\"68b5ae8\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b57400 elementor-widget elementor-widget-image\" data-id=\"8b57400\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"64\" height=\"64\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-enh-sec.svg\" class=\"attachment-full size-full wp-image-5696\" alt=\"Enhanced Security - icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-767e2aa elementor-widget elementor-widget-heading\" data-id=\"767e2aa\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">High-Availability Clustering<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d73153e elementor-widget elementor-widget-text-editor\" data-id=\"d73153e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Production deployments use clustered multi-node architecture (typically 3+ nodes) with load balancing and database replication.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9d3b5b8 e-con-full e-flex e-con e-child\" data-id=\"9d3b5b8\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-89d54f8 elementor-widget elementor-widget-image\" data-id=\"89d54f8\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"28\" height=\"28\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/03\/icon-radius.svg\" class=\"attachment-full size-full wp-image-5794\" alt=\"MFA for RADIUS icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f7f585d elementor-widget elementor-widget-heading\" data-id=\"f7f585d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Multidomain Active Directory<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aff0db8 elementor-widget elementor-widget-text-editor\" data-id=\"aff0db8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Native support for multi-domain Active Directory environments, with centralized authentication management from a single platform instance.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9ddacc7 e-con-full e-flex e-con e-child\" data-id=\"9ddacc7\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-82d1654 elementor-widget elementor-widget-image\" data-id=\"82d1654\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"56\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-windows.svg\" class=\"attachment-full size-full wp-image-5709\" alt=\"MFA for Windows and RDP - icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-eb78c60 elementor-widget elementor-widget-heading\" data-id=\"eb78c60\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Broad Service Coverage<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ee318b2 elementor-widget elementor-widget-text-editor\" data-id=\"ee318b2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Protects AD, VPN gateways, ADFS-federated apps, Windows logon and RDP, OWA, and custom web applications.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cb9fab9 e-con-full e-flex e-con e-child\" data-id=\"cb9fab9\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1b3c387 elementor-widget elementor-widget-image\" data-id=\"1b3c387\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"56\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-check.svg\" class=\"attachment-full size-full wp-image-5737\" alt=\"Customer Stories section icon \u2013 real-life client experiences\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-84c6048 elementor-widget elementor-widget-heading\" data-id=\"84c6048\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Compliance Coverage<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1abcc56 elementor-widget elementor-widget-text-editor\" data-id=\"1abcc56\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Helps meet PCI DSS v4.0, HIPAA, NIST SP 800-63B, SOC 2, ISO 27001, GDPR, DORA, NIS2.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7c15682 e-con-full e-flex e-con e-child\" data-id=\"7c15682\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ffb514c elementor-widget elementor-widget-image\" data-id=\"ffb514c\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"56\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/03\/icon-wifi-56.svg\" class=\"attachment-full size-full wp-image-5810\" alt=\"Wi-Fi Authentication icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3382fca elementor-widget elementor-widget-heading\" data-id=\"3382fca\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Air-Gapped Capable<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-785b26a elementor-widget elementor-widget-text-editor\" data-id=\"785b26a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Operates without internet connectivity after deployment \u2014 the only viable architecture for classified and ICS environments.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-30a9584 elementor-widget elementor-widget-spacer\" data-id=\"30a9584\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5b50e5c padded e-flex e-con-boxed e-con e-parent\" data-id=\"5b50e5c\" data-element_type=\"container\" id=\"why-mfa\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-28b1e56 e-con-full e-flex e-con e-child\" data-id=\"28b1e56\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a6f90e4 elementor-widget elementor-widget-heading\" data-id=\"a6f90e4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Why On-Premise MFA Matters in 2026<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9d2498b elementor-widget elementor-widget-text-editor\" data-id=\"9d2498b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The honest answer is that most organizations don&#8217;t choose it \u2014 they&#8217;re pushed toward it by constraints that make cloud MFA non-viable.<\/span><\/p><p><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/gdpr-info.eu\/\"><span style=\"font-weight: 400;\">GDPR<\/span><\/a><span style=\"font-weight: 400;\"> treats authentication event data \u2014 usernames, timestamps, IP addresses, validation results \u2014 as personal data. Routing it through a cloud authentication provider creates a data processing relationship that requires a DPA, a security assessment, and potentially a transfer impact assessment. <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.eiopa.europa.eu\/digital-operational-resilience-act-dora_en\"><span style=\"font-weight: 400;\">DORA<\/span><\/a><span style=\"font-weight: 400;\"> classifies authentication services as ICT services, making cloud MFA providers subject to its third-party risk management requirements. <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.nis-2-directive.com\/NIS_2_Directive_Article_21.html\"><span style=\"font-weight: 400;\">NIS2<\/span><\/a><span style=\"font-weight: 400;\"> Article 21 puts authentication infrastructure dependencies in scope for supply chain risk assessment.<\/span><\/p><p>For financial institutions, healthcare providers, and critical infrastructure operators, keeping authentication in-house often simplifies compliance reviews and reduces third-party risk exposure.<\/p><p><span style=\"font-weight: 400;\">Air-gapped networks are the harder constraint. Classified government systems, defense contractor environments under ITAR or CMMC, industrial control system networks, and certain financial trading infrastructure are typically unable to route authentication requests to external APIs. On-premise is the only architecture that works.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d57877c padded e-flex e-con-boxed e-con e-parent\" data-id=\"d57877c\" data-element_type=\"container\" id=\"on-premise-mfa-vs-cloud-mfa-vs-private-cloud\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-1698709 e-con-full e-flex e-con e-child\" data-id=\"1698709\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-88c2197 elementor-widget elementor-widget-heading\" data-id=\"88c2197\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">On-Premise MFA vs Cloud MFA vs Private Cloud<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-83f93dd elementor-widget elementor-widget-text-editor\" data-id=\"83f93dd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<table><tbody><tr><td><p><b>Factor<\/b><\/p><\/td><td><p><b>On-Premise<\/b><\/p><\/td><td><p><b>Cloud MFA<\/b><\/p><\/td><td><p><b>Private Cloud<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Authentication data location<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Your servers<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Vendor infrastructure<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Your cloud tenant<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Air-gapped support<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Depends<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">External connectivity required<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes (cloud provider)<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Latency<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">LAN \u2014 predictable<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Internet-dependent<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Internet-dependent<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">HA \/ clustering<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Self-managed (3-node recommended)<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Provider-managed<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Self-managed<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Third-party audit scope<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">None<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Full vendor assessment<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Cloud provider in scope<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Time to deploy<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Days<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Hours<\/span><\/p><\/td><td><p>Hours to days<\/p><\/td><\/tr><\/tbody><\/table><p>Private cloud combines many of the benefits of on-premise MFA with the operational flexibility of cloud infrastructure. Authentication data remains within the organization&#8217;s dedicated cloud environment rather than a shared SaaS platform, while the underlying cloud provider remains part of the compliance and risk assessment scope. For organizations already running regulated workloads in AWS or Azure with appropriate contractual coverage, it offers a balance between control and operational flexibility.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-86abc7e padded e-flex e-con-boxed e-con e-parent\" data-id=\"86abc7e\" data-element_type=\"container\" id=\"how-protectimus-on-premise-mfa-works\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-f0f2e30 e-con-full e-flex e-con e-child\" data-id=\"f0f2e30\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-684bcff elementor-widget elementor-widget-heading\" data-id=\"684bcff\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">How Protectimus On-Premise MFA Works<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4b52e3d elementor-widget elementor-widget-text-editor\" data-id=\"4b52e3d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The platform has three functional layers:<\/span><\/p><p><b>Authentication engine. <\/b><span style=\"font-weight: 400;\">The OTP validation engine implements OATH TOTP, HOTP, and OCRA standards. Authentication requests arrive via RADIUS, DSPA, or API. The engine validates the OTP against the token seed stored locally and returns pass or fail. No seed material ever leaves your infrastructure \u2014 at provisioning or validation time.<\/span><\/p><p><b>Integration layer. <\/b><span style=\"font-weight: 400;\">Protocols, plugins, and integration components that connect protected systems to the authentication engine:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.protectimus.com\/uk\/radius\/\"><b>RADIUS<\/b><\/a><span style=\"font-weight: 400;\"> \u2014 VPN gateways, network access controllers, Wi-Fi, and other RADIUS-based systems<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.protectimus.com\/uk\/dspa\/\"><b>DSPA<\/b><\/a><span style=\"font-weight: 400;\"> \u2014 OTP-based authentication for Active Directory, LDAP directories, and connected services<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.protectimus.com\/uk\/adfs\/\"><b>ADFS plugin<\/b><\/a><span style=\"font-weight: 400;\"> \u2014 federated access to Microsoft 365, SharePoint, Salesforce, and other applications connected through ADFS<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.protectimus.com\/uk\/winlogon\/\"><b>Windows Credential Provider<\/b><\/a><span style=\"font-weight: 400;\"> \u2014 Windows logon and RDP protection, including offline authentication support<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><b>Web application plugins and API integrations<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/owa\/\"><span style=\"font-weight: 400;\">Outlook Web App<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/roundcube\/\"><span style=\"font-weight: 400;\">Roundcube<\/span><\/a><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">, custom web applications, and services integrated through REST API or SDK<\/span><\/span><\/li><\/ul><p><br \/><b>Management and audit layer. <\/b><span style=\"font-weight: 400;\">Integration with Active Directory, LDAP directories, and other user data sources keeps user accounts synchronized automatically. Authentication event logs \u2014 every attempt, timestamp, result \u2014 stay local. The Self-Service Portal handles token enrollment, synchronization, and device replacement without administrator involvement.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-280411b padded e-flex e-con-boxed e-con e-parent\" data-id=\"280411b\" data-element_type=\"container\" id=\"enterprise-features-clustering-ha-multidomain-ad\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-2bd5d59 e-con-full e-flex e-con e-child\" data-id=\"2bd5d59\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-347cae5 elementor-widget elementor-widget-heading\" data-id=\"347cae5\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Enterprise Features: Clustering, High Availability, Multidomain AD<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3977085 elementor-widget elementor-widget-text-editor\" data-id=\"3977085\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Production on-premise MFA deployments typically use a clustered multi-node architecture with load balancing and database replication \u2014 so that authentication continues if a node fails. The minimum viable high-availability setup is three nodes (for quorum) with a load balancer in front and master-slave database replication behind.<\/span><\/p><p><span style=\"font-weight: 400;\">Multidomain Active Directory support enables integration with complex enterprise environments containing multiple domains or directory structures. LDAP synchronization can be configured across separate directories while maintaining centralized authentication management from a single platform instance.<\/span><\/p><p><span style=\"font-weight: 400;\">The Protectimus On-Premise MFA Platform supports clustered deployments with multiple platform nodes, HAProxy load balancing, and replicated PostgreSQL databases. See the full deployment architecture, system requirements, and rollout timeline on the <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><b>Protectimus On-Premise MFA Platform \u2192<\/b><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a29b829 padded e-flex e-con-boxed e-con e-parent\" data-id=\"a29b829\" data-element_type=\"container\" id=\"deployment\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-1dc9ec2 e-con-full e-flex e-con e-child\" data-id=\"1dc9ec2\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-131348d elementor-widget elementor-widget-heading\" data-id=\"131348d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Supported MFA Methods<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5266633 elementor-widget elementor-widget-text-editor\" data-id=\"5266633\" data-element_type=\"widget\" id=\"supported-mfa-methods\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<table><tbody><tr><td><p><b>Method<\/b><\/p><\/td><td><p><b>Phishing Resistance<\/b><\/p><\/td><td><p><b>Offline<\/b><\/p><\/td><td><p><b>Self-Service Recovery<\/b><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/token\/smart\/\"><span style=\"font-weight: 400;\">SMART OTP App<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">High<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes (cloud backup)<\/span><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/tokens\/\"><span style=\"font-weight: 400;\">Hardware Token<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">High<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No (admin replaces)<\/span><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/token\/bot\/\"><span style=\"font-weight: 400;\">BOT (Telegram\/Viber)<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">Medium<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">N\/A<\/span><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/token\/sms\/\"><span style=\"font-weight: 400;\">SMS<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">Low-Medium<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">N\/A<\/span><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/token\/mail\/\"><span style=\"font-weight: 400;\">Email<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">Low-Medium<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">N\/A<\/span><\/p><\/td><\/tr><tr><td><p><a href=\"https:\/\/www.protectimus.com\/uk\/token\/push\/\"><span style=\"font-weight: 400;\">Push<\/span><\/a><\/p><\/td><td><p><span style=\"font-weight: 400;\">Medium<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes (cloud backup)<\/span><\/p><\/td><\/tr><\/tbody><\/table><p><span style=\"font-weight: 400;\">For environments where mobile devices are prohibited \u2014 manufacturing floors, secure facilities, classified networks \u2014 hardware OATH TOTP tokens are typically the preferred second factor. Standardized on OATH means tokens are vendor-portable: an OATH TOTP token from one provider works with another OATH-compliant validation engine.<\/span><\/p><p><span style=\"font-weight: 400;\">Protectimus offers four hardware token models for these scenarios, including programmable NFC cards and SHA-256 fixed-seed tokens. <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/tokens\/\"><b>See all hardware token options \u2192<\/b><\/a><\/p><p><span style=\"font-weight: 400;\">TOTP-based methods (authenticator app and hardware tokens) are operationally the strongest choice for most enterprise on-premise deployments. Both generate codes locally without internet connectivity. Both produce 30-second codes that are worthless to an attacker who intercepts them after they expire.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-16797b4 padded e-flex e-con-boxed e-con e-parent\" data-id=\"16797b4\" data-element_type=\"container\" id=\"what-services-can-be-protected\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-bb86bc5 e-con-full e-flex e-con e-child\" data-id=\"bb86bc5\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-891beb3 elementor-widget elementor-widget-heading\" data-id=\"891beb3\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">What Services Can Be Protected<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7f6098 elementor-widget elementor-widget-text-editor\" data-id=\"d7f6098\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Active Directory, LDAP, and databases. <\/b>With Protectimus DSPA, on-premise MFA protects directory accounts at the directory level, extending protection to Windows logon, RDP, VPN access, OWA, and any AD-bound application. Group-based scoping lets you start with privileged accounts before extending coverage.<span style=\"font-weight: 400;\"> Protectimus implements directory-level MFA via <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/dspa\/\"><b>DSPA (Dynamic Strong Password Authentication) \u2192<\/b><\/a><\/p><p><b>VPN gateways via RADIUS. <\/b><span style=\"font-weight: 400;\">Covers Cisco ASA, Cisco Firepower, Fortinet, Palo Alto, Check Point, Juniper, and most RFC 2865-compliant VPN gateways. UDP 1812 inbound from the gateway is the primary network requirement. For a worked example, see <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/mfa-for-cisco-anyconnect\/\"><b>MFA for Cisco AnyConnect \u2192<\/b><\/a><\/p><p><b>ADFS and federated applications. <\/b><span style=\"font-weight: 400;\">A plugin integrates as an additional authentication provider in the ADFS pipeline, enabling MFA protection for all federated services routed through ADFS \u2014 Microsoft 365, SharePoint, Salesforce, and others. See <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/adfs\/\"><b>ADFS integration \u2192<\/b><\/a><\/p><p><b>Windows logon and RDP. <\/b><span style=\"font-weight: 400;\">A Windows Credential Provider protects desktop and server logons, with offline validation support via one-time backup codes for workstations that cannot reach the authentication server. See <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/winlogon\/\"><b>Windows logon &amp; RDP MFA \u2192<\/b><\/a><\/p><p><b>Outlook Web App and web applications. <\/b><span style=\"font-weight: 400;\">OWA integration for Exchange 2013\u20132019. Roundcube via plugin. Custom web applications via REST API or SDK. See <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/owa\/\"><b>OWA integration \u2192<\/b><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/roundcube\/\"><b>Roundcube integration \u2192<\/b><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-dd147b2 padded e-flex e-con-boxed e-con e-parent\" data-id=\"dd147b2\" data-element_type=\"container\" id=\"deployment-requirements\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-c9b7b25 e-con-full e-flex e-con e-child\" data-id=\"c9b7b25\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fad9de1 elementor-widget elementor-widget-heading\" data-id=\"fad9de1\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Deployment Requirements<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-78865c0 elementor-widget elementor-widget-text-editor\" data-id=\"78865c0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">On-premise MFA platforms have modest hardware requirements \u2014 a few CPU cores and several GB of RAM per node are typically enough for the authentication engine itself. Storage scales primarily with audit-log retention.<\/span><\/p><p><span style=\"font-weight: 400;\">A standard single-domain rollout \u2014 one AD forest, one VPN gateway, standard workstations \u2014 is achievable in one to two days, including pilot testing. Full rollout time then depends on the number of integrations and the enrollment approach (self-service portal or bulk CSV provisioning).<\/span><\/p><p><span style=\"font-weight: 400;\">Existing RADIUS infrastructure \u2014 including Cisco ISE and FreeRADIUS \u2014 can typically be preserved by integrating the new authentication platform as a RADIUS proxy layer with minimal configuration changes.<\/span><\/p><p><span style=\"font-weight: 400;\">For exact Protectimus deployment specs (CPU, RAM, storage, supported OS and database, step-by-step rollout timeline), see the <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><b>Protectimus On-Premise MFA Platform \u2192<\/b><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a2442ac padded e-flex e-con-boxed e-con e-parent\" data-id=\"a2442ac\" data-element_type=\"container\" id=\"industry-use-cases-compliance\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-d2891c1 e-con-full e-flex e-con e-child\" data-id=\"d2891c1\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f2847f8 elementor-widget elementor-widget-heading\" data-id=\"f2847f8\" data-element_type=\"widget\" id=\"howtosetup\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Industry Use Cases &amp; Compliance<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-32a2622 elementor-widget elementor-widget-text-editor\" data-id=\"32a2622\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<table><tbody><tr><td><p><b>Sector<\/b><\/p><\/td><td><p><b>Compliance Driver<\/b><\/p><\/td><td><p><b>Notes<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Financial services<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">PCI DSS v4.0, SOX, DORA<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Hardware tokens for regulated and high-security environments; DSPA for AD<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Healthcare<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">HIPAA, HITECH<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Hardware tokens for EVV workflows and MFA for shared clinical workstations<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Government \/ Defense<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">NIST 800-63B, FISMA, CMMC<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Air-gapped deployments and hardware token support<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Energy \/ Critical infrastructure<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">NERC CIP, NIS2<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">On-premise MFA and hardware tokens for isolated ICS and OT environments<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Telecom<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">NIS2<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">MFA for distributed telecom and multi-site network infrastructure<\/span><\/p><\/td><\/tr><\/tbody><\/table><p><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.pcisecuritystandards.org\/document_library\/\"><span style=\"font-weight: 400;\">PCI DSS v4.0<\/span><\/a><span style=\"font-weight: 400;\"> Requirement 8.4.2 mandates MFA for all remote access into the cardholder data environment \u2014 no exceptions. <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.eiopa.europa.eu\/digital-operational-resilience-act-dora_en\"><span style=\"font-weight: 400;\">DORA<\/span><\/a><span style=\"font-weight: 400;\"> makes cloud authentication providers ICT third-party vendors requiring formal due diligence. <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/security\/laws-regulations\/index.html\"><span style=\"font-weight: 400;\">HIPAA Technical Safeguards (45 CFR \u00a7164.312)<\/span><\/a><span style=\"font-weight: 400;\"> require access controls for ePHI systems; HHS explicitly recommends MFA for remote access. <\/span><span style=\"font-weight: 400;\">OATH TOTP is widely used to support <a target=\"_blank\" target=\"_blank\" href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">NIST SP 800-63B<\/a> AAL2 authentication requirements.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a9cb282 padded e-flex e-con-boxed e-con e-parent\" data-id=\"a9cb282\" data-element_type=\"container\" id=\"faq\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7659ffd elementor-widget elementor-widget-heading\" data-id=\"7659ffd\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">FAQ<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-dc81e4c e-con-full padded e-flex e-con e-child\" data-id=\"dc81e4c\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-fb2596d e-con-full faq-container e-flex e-con e-child\" data-id=\"fb2596d\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-412fa06 plus-right elementor-widget elementor-widget-n-accordion\" data-id=\"412fa06\" data-element_type=\"widget\" data-settings=\"{&quot;default_state&quot;:&quot;all_collapsed&quot;,&quot;max_items_expended&quot;:&quot;one&quot;,&quot;n_accordion_animation_duration&quot;:{&quot;unit&quot;:&quot;ms&quot;,&quot;size&quot;:400,&quot;sizes&quot;:[]}}\" data-widget_type=\"nested-accordion.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"e-n-accordion\" aria-label=\"Accordion. Open links with Enter or Space, close with Escape, and navigate with Arrow Keys\">\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6830\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"1\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6830\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> What is on-premise MFA and how does it differ from cloud MFA? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6830\" class=\"elementor-element elementor-element-ea1991a e-con-full e-flex e-con e-child\" data-id=\"ea1991a\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8bad61c elementor-widget elementor-widget-text-editor\" data-id=\"8bad61c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">On-premise MFA runs the full authentication stack \u2014 OTP engine, user database, token secrets, audit logs \u2014 on your own servers. Cloud MFA sends authentication requests to a vendor&#8217;s infrastructure for processing. The end-user experience is identical: a second-factor prompt. The difference is where processing happens and whether external connectivity is required. On-premise validates OTPs locally with no outbound calls. Cloud MFA stops working if the vendor&#8217;s API is unreachable.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6831\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"2\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6831\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Why do regulated industries prefer on-premise MFA in 2026? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6831\" class=\"elementor-element elementor-element-b2bdc68 e-con-full e-flex e-con e-child\" data-id=\"b2bdc68\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f30747e elementor-widget elementor-widget-text-editor\" data-id=\"f30747e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Three reasons. First, data residency: GDPR, DORA, and PCI DSS impose requirements on where authentication data is processed; on-premise MFA keeps it entirely under organizational control. Second, air-gapped networks: classified and critical infrastructure environments cannot route requests to external APIs \u2014 on-premise is the only architecture that functions. Third, audit simplicity: no third-party authentication processor means no vendor security assessment in scope for compliance audits.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6832\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"3\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6832\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Can Protectimus On-Premise MFA work in air-gapped networks? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6832\" class=\"elementor-element elementor-element-0787040 e-con-full e-flex e-con e-child\" data-id=\"0787040\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9eb7aff elementor-widget elementor-widget-text-editor\" data-id=\"9eb7aff\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes. All OTP validation runs against token seeds stored locally. No outbound call is made during authentication. The platform operates without internet connectivity after initial deployment. Pre-provisioned hardware tokens support fully isolated air-gapped deployments.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6833\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"4\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6833\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> What are the hardware requirements for on-premise MFA deployment? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6833\" class=\"elementor-element elementor-element-b3373c0 e-con-full e-flex e-con e-child\" data-id=\"b3373c0\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6ef49d2 elementor-widget elementor-widget-text-editor\" data-id=\"6ef49d2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Recommended minimum per node: 2-core CPU, 8 GB RAM, 20 GB storage, Linux or Windows. Production HA deployments typically use a 3-node cluster with a load balancer. The same deployment requirements apply to physical, virtual, and private cloud environments, including AWS and Azure.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6834\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"5\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6834\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Does on-premise MFA support clustering and high availability? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6834\" class=\"elementor-element elementor-element-3e2c10e e-con-full e-flex e-con e-child\" data-id=\"3e2c10e\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e1ee304 elementor-widget elementor-widget-text-editor\" data-id=\"e1ee304\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes. Recommended minimum is a 3-node cluster with HAProxy load balancing and primary-replica database replication. Automatic failover routes requests to healthy nodes if one becomes unavailable. Node count beyond three increases both throughput and fault tolerance.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6835\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"6\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6835\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> What services can on-premise MFA protect? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6835\" class=\"elementor-element elementor-element-67bff32 e-con-full e-flex e-con e-child\" data-id=\"67bff32\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ed5da62 elementor-widget elementor-widget-text-editor\" data-id=\"ed5da62\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Active Directory via DSPA, VPN gateways and other services via RADIUS, federated applications via ADFS plugin, Windows workstation logon and RDP via Windows Credential Provider, Outlook Web App, Roundcube, and custom web applications via REST API.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6836\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"7\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6836\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Is on-premise MFA compliant with GDPR, DORA, PCI DSS, HIPAA? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6836\" class=\"elementor-element elementor-element-a41023b e-con-full e-flex e-con e-child\" data-id=\"a41023b\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2a36881 elementor-widget elementor-widget-text-editor\" data-id=\"2a36881\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">On-premise is the strongest compliance posture for frameworks with data residency requirements. PCI DSS v4.0 Requirement 8.4.2 can be met by OATH TOTP via RADIUS and other integration components. GDPR compliance is strengthened by eliminating external authentication processor dependencies. DORA third-party ICT risk requirements do not apply to internally hosted infrastructure. HIPAA Technical Safeguards are satisfied with authentication logs retained locally.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6837\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"8\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6837\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> How long does it take to deploy Protectimus On-Premise MFA Platform? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6837\" class=\"elementor-element elementor-element-bd21f5f e-con-full e-flex e-con e-child\" data-id=\"bd21f5f\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-63d6fa9 elementor-widget elementor-widget-text-editor\" data-id=\"63d6fa9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Standard single-domain environment \u2014 one AD forest, one VPN gateway, standard workstations \u2014 achievable in one to two days, including pilot testing. Full rollout depends on integration count and enrollment approach. Self-Service Portal and CSV bulk provisioning reduce administrator load significantly during rollout. Contact Protectimus to scope your specific environment.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<script type=\"application\/ld+json\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is on-premise MFA and how does it differ from cloud MFA?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"On-premise MFA runs the full authentication stack \\u2014 OTP engine, user database, token secrets, audit logs \\u2014 on your own servers. Cloud MFA sends authentication requests to a vendor&#8217;s infrastructure for processing. The end-user experience is identical: a second-factor prompt. The difference is where processing happens and whether external connectivity is required. On-premise validates OTPs locally with no outbound calls. Cloud MFA stops working if the vendor&#8217;s API is unreachable.\"}},{\"@type\":\"Question\",\"name\":\"Why do regulated industries prefer on-premise MFA in 2026?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Three reasons. First, data residency: GDPR, DORA, and PCI DSS impose requirements on where authentication data is processed; on-premise MFA keeps it entirely under organizational control. Second, air-gapped networks: classified and critical infrastructure environments cannot route requests to external APIs \\u2014 on-premise is the only architecture that functions. Third, audit simplicity: no third-party authentication processor means no vendor security assessment in scope for compliance audits.\"}},{\"@type\":\"Question\",\"name\":\"Can Protectimus On-Premise MFA work in air-gapped networks?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. All OTP validation runs against token seeds stored locally. No outbound call is made during authentication. The platform operates without internet connectivity after initial deployment. Pre-provisioned hardware tokens support fully isolated air-gapped deployments.\"}},{\"@type\":\"Question\",\"name\":\"What are the hardware requirements for on-premise MFA deployment?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Recommended minimum per node: 2-core CPU, 8 GB RAM, 20 GB storage, Linux or Windows. Production HA deployments typically use a 3-node cluster with a load balancer. The same deployment requirements apply to physical, virtual, and private cloud environments, including AWS and Azure.\"}},{\"@type\":\"Question\",\"name\":\"Does on-premise MFA support clustering and high availability?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Recommended minimum is a 3-node cluster with HAProxy load balancing and primary-replica database replication. Automatic failover routes requests to healthy nodes if one becomes unavailable. Node count beyond three increases both throughput and fault tolerance.\"}},{\"@type\":\"Question\",\"name\":\"What services can on-premise MFA protect?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Active Directory via DSPA, VPN gateways and other services via RADIUS, federated applications via ADFS plugin, Windows workstation logon and RDP via Windows Credential Provider, Outlook Web App, Roundcube, and custom web applications via REST API.\"}},{\"@type\":\"Question\",\"name\":\"Is on-premise MFA compliant with GDPR, DORA, PCI DSS, HIPAA?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"On-premise is the strongest compliance posture for frameworks with data residency requirements. PCI DSS v4.0 Requirement 8.4.2 can be met by OATH TOTP via RADIUS and other integration components. GDPR compliance is strengthened by eliminating external authentication processor dependencies. DORA third-party ICT risk requirements do not apply to internally hosted infrastructure. HIPAA Technical Safeguards are satisfied with authentication logs retained locally.\"}},{\"@type\":\"Question\",\"name\":\"How long does it take to deploy Protectimus On-Premise MFA Platform?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Standard single-domain environment \\u2014 one AD forest, one VPN gateway, standard workstations \\u2014 achievable in one to two days, including pilot testing. Full rollout depends on integration count and enrollment approach. Self-Service Portal and CSV bulk provisioning reduce administrator load significantly during rollout. Contact Protectimus to scope your specific environment.\"}}]}<\/script>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7534fb4 elementor-widget elementor-widget-html\" data-id=\"7534fb4\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"HowTo\",\r\n  \"name\": \"How to Set Up MFA for Cisco AnyConnect with Protectimus\",\r\n  \"description\": \"Step-by-step setup of multi-factor authentication for Cisco AnyConnect VPN using Protectimus via RADIUS: platform setup, RADIUS Server installation and configuration, ASA\/Firepower AAA configuration, AnyConnect connection profile, and user enrollment. First authentication with MFA enforced is achievable within 2\u20134 hours for a standard single-domain deployment.\",\r\n  \"totalTime\": \"PT4H\",\r\n  \"estimatedCost\": {\r\n    \"@type\": \"MonetaryAmount\",\r\n    \"currency\": \"USD\",\r\n    \"value\": \"0\"\r\n  },\r\n  \"supply\": [\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Cisco ASA or Firepower Threat Defense appliance with AnyConnect VPN configured\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Active Directory, LDAP, or local user directory for primary credential validation\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Linux or Windows server for the Protectimus RADIUS Server (or for the full On-Premise Platform)\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Network connectivity: UDP 1812\/1813 between ASA and RADIUS Server\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Administrative access to Cisco ASDM or Firepower Management Center (FMC)\"\r\n    }\r\n  ],\r\n  \"tool\": [\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus Cloud Service or Protectimus On-Premise Platform\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus RADIUS Server\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Cisco ASDM or Firepower Management Center (FMC)\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus SMART OTP app, hardware token (Slim NFC, TWO, FLEX, SHARK), or Protectimus BOT\"\r\n    }\r\n  ],\r\n  \"step\": [\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 1,\r\n      \"name\": \"Set up the Protectimus platform or cloud service\",\r\n      \"text\": \"Register at protectimus.com for the cloud service, or install the Protectimus On-Premise Platform on your infrastructure. In the platform, create a Resource representing the AnyConnect VPN integration and note your API URL, Login, and API Key \u2014 they are required for the RADIUS Server configuration.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-1\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/1.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 2,\r\n      \"name\": \"Install and configure the Protectimus RADIUS Server\",\r\n      \"text\": \"Install the Protectimus RADIUS Server on a Linux host (recommended) or Windows server accessible from the ASA. Edit the radius.yml configuration file with your Protectimus API credentials, RADIUS shared secret, ASA client IP, LDAP\/AD connection parameters, and listening port (UDP 1812). Start the RADIUS service and confirm it is listening. Verify firewall rules allow UDP 1812 and 1813 from the ASA to the RADIUS Server.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-2\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/2.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 3,\r\n      \"name\": \"Configure the Cisco ASA AAA Server Group\",\r\n      \"text\": \"In Cisco ASDM, navigate to Configuration \u2192 Remote Access VPN \u2192 AAA\/Local Users \u2192 AAA Server Groups. Add a new AAA Server Group named 'protectimus' with Protocol set to RADIUS. Set Accounting Mode to Single, Reactivation Mode to Depletion, Dead Time 10, Max Failed Attempts 3. Add the Protectimus RADIUS Server with its IP, authentication port 1816, accounting port 1815, timeout 10s, and the matching shared secret. For Cisco Firepower via FMC, the equivalent path is Objects \u2192 Object Management \u2192 RADIUS Server Group \u2192 Add Group with identical parameters.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-3\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/3.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 4,\r\n      \"name\": \"Configure the AnyConnect VPN connection\",\r\n      \"text\": \"In Cisco ASDM, open Wizards \u2192 VPN Wizards \u2192 AnyConnect VPN Wizard. Configure the connection profile name, VPN access interface, enable SSL and IPsec, and select or generate a device certificate. Add AnyConnect client image (.pkg) files. In the Authentication Methods step, select the 'protectimus' AAA Server Group. In the SAML Configuration step, set Authentication Method to AAA, select the protectimus AAA Server Group, leave SAML Server as None. Configure the client IP address pool and DNS settings, enable 'Exempt VPN traffic from network address translation' and 'Allow Web Launch', then review and finish.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-4\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/4.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 5,\r\n      \"name\": \"Enroll users and assign OTP tokens\",\r\n      \"text\": \"Add users to the Protectimus platform manually, via CSV import, or via LDAP sync with Active Directory. Assign tokens (Protectimus SMART OTP app, hardware tokens, or chatbot OTP) to users manually, or activate the Self-Service Portal so users can enroll and manage their own tokens. Run authentication tests with a pilot group before broader rollout.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-5\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/5.svg\"\r\n    }\r\n  ]\r\n}\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fe2c5b0 padded e-flex e-con-boxed e-con e-parent\" data-id=\"fe2c5b0\" data-element_type=\"container\" id=\"conclusion\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-e4ec716 e-con-full e-flex e-con e-child\" data-id=\"e4ec716\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-35746bf e-con-full e-flex e-con e-child\" data-id=\"35746bf\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-489bd70 e-con-full e-flex e-con e-child\" data-id=\"489bd70\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-10cf0aa elementor-widget elementor-widget-heading\" data-id=\"10cf0aa\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion <\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c0eeb4 elementor-widget elementor-widget-text-editor\" data-id=\"6c0eeb4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">On-premise MFA is not the right choice for every organization. Without regulatory data residency constraints or network isolation requirements, cloud MFA is faster and operationally simpler.<\/span><\/p><p><span style=\"font-weight: 400;\">For organizations where those constraints are real \u2014 where authentication data leaving the network creates compliance exposure, where air-gapped architecture makes external API calls impossible \u2014 on-premise is the only architecture that works. Protectimus On-Premise MFA Platform covers the full deployment in this scenario: DSPA for Active Directory, RADIUS for VPN, ADFS for federated apps, Windows Credential Provider for workstations.<\/span><\/p><p><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><b>See the Protectimus On-Premise MFA Platform \u2014 pricing, deployment specs, free trial \u2192<\/b><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a3f81ec e-con-full contact-us-bg e-flex e-con e-child\" data-id=\"a3f81ec\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fb3d121 elementor-widget elementor-widget-shortcode\" data-id=\"fb3d121\" data-element_type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"container\" data-elementor-id=\"14849\" class=\"elementor elementor-14849 elementor-3585\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a82e0d1 e-con-full e-flex e-con e-child\" data-id=\"3a82e0d1\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b4de036 elementor-widget elementor-widget-image\" data-id=\"b4de036\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"370\" height=\"370\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/05\/contact-seal.svg\" class=\"attachment-full size-full wp-image-5869\" alt=\"Send Us A Message icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1bc85d61 elementor-widget elementor-widget-heading\" data-id=\"1bc85d61\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\u041d\u0430\u0434\u0456\u0448\u043b\u0456\u0442\u044c \u043d\u0430\u043c \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cf09046 elementor-widget elementor-widget-shortcode\" data-id=\"cf09046\" data-element_type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f8427-o1\" lang=\"uk\" dir=\"ltr\" data-wpcf7-id=\"8427\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/uk\/wp-json\/wp\/v2\/pages\/16945#wpcf7-f8427-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"\u041a\u043e\u043d\u0442\u0430\u043a\u0442\u043d\u0430 \u0444\u043e\u0440\u043c\u0430\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"8427\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.2\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"uk\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f8427-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<div class=\"protectimus-form\">\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"uname\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0406\u043c&#039;\u044f\" value=\"\" type=\"text\" name=\"uname\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0415\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u0430 \u043f\u043e\u0448\u0442\u0430\" value=\"\" type=\"email\" name=\"email\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"subject\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0422\u0435\u043c\u0430\" value=\"\" type=\"text\" name=\"subject\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"message\"><textarea cols=\"40\" rows=\"1\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u041f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f\" name=\"message\"><\/textarea><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col mb-2\">\n        <input class=\"wpcf7-form-control wpcf7-submit has-spinner\" type=\"submit\" value=\"\u041d\u0430\u0434\u0456\u0441\u043b\u0430\u0442\u0438\" \/>\n    <\/div>\n<\/div>\n\n<\/div><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2b9546a e-grid e-con-full equal-height equal-height-mob e-con e-child\" data-id=\"2b9546a\" data-element_type=\"container\">\n\t\t<a target=\"_blank\" target=\"_blank\" class=\"elementor-element elementor-element-cd07253 e-con-full four-link e-flex e-con e-child\" data-id=\"cd07253\" data-element_type=\"container\" href=\"https:\/\/service.protectimus.com\/en\/register\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3d2527b eq-height elementor-widget elementor-widget-heading\" data-id=\"3d2527b\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Start free trial<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0bdcfdb elementor-widget elementor-widget-image\" data-id=\"0bdcfdb\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-cd18ec0 e-con-full four-link e-flex e-con e-child\" data-id=\"cd18ec0\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\" href=\"https:\/\/www.protectimus.com\/uk\/contact-us\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-089ffcb eq-height elementor-widget elementor-widget-heading\" data-id=\"089ffcb\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Contact sales<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4909302 elementor-widget elementor-widget-image\" data-id=\"4909302\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-60a0ab3 e-con-full four-link e-flex e-con e-child\" data-id=\"60a0ab3\" data-element_type=\"container\" href=\"https:\/\/www.protectimus.com\/uk\/pricing\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-caf7329 eq-height elementor-widget elementor-widget-heading\" data-id=\"caf7329\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Pricing details<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4610902 elementor-widget elementor-widget-image\" data-id=\"4610902\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-a0fbc4a e-con-full four-link e-flex e-con e-child\" data-id=\"a0fbc4a\" data-element_type=\"container\" href=\"https:\/\/www.protectimus.com\/uk\/guides\/saas-service\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-78353c4 eq-height elementor-widget elementor-widget-heading\" data-id=\"78353c4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Integration guides<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-099691d elementor-widget elementor-widget-image\" data-id=\"099691d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>On-Premise MFA: Complete Guide to Self-Hosted Multi-Factor Authentication (2026) Cloud-based authentication is the path of least resistance for most organizations. Faster to deploy, no infrastructure to maintain, someone else&#8217;s problem when it breaks at 2 AM. For a significant portion of enterprises, that trade-off is perfectly acceptable.For the rest \u2014 those operating under GDPR, DORA, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-16945","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/comments?post=16945"}],"version-history":[{"count":61,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16945\/revisions"}],"predecessor-version":[{"id":17092,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16945\/revisions\/17092"}],"wp:attachment":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/media?parent=16945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}