ManageEngine,
the real-time IT management company, today announced that it is rolling
out two-factor authentication (TFA) support for Windows logons in ADSelfService
Plus, its integrated Active Directory self-service password
management and single sign-on solution. With this support, ADSelfService
Plus enables organizations to add an extra layer of protection for
critical resources that are accessed by users through Windows-based
machines. ADSelfService Plus seamlessly integrates with Windows client
(Vista and above) and server (2008 and above) operating systems to
provide users a simple and secure logon experience across both local and
remote desktop logons.
Most organizations enforce complex passwords as a common defense against
cyberattacks. However, complex passwords are hard to remember, so many
employees resort to insecure practices like writing passwords down or
storing them in plaintext. Even if an organization properly implements
complex passwords, it may still not be enough to stay ahead of the
evolution of password cracking programs. According to a recent Forrester
report, almost one third of security breaches are caused
by stolen passwords. Knowing the risks associated with passwords, IT
compliance laws such as PCI
DSS have explicitly prohibited the use of passwords as the only
authentication mechanism.
Mitigating Poor Password Behavior with TFA
TFA ensures that users are authenticated twice - once through a password
and again through a fingerprint or an OTP sent to a smartphone - before
being granted access to valuable corporate resources.
"With better security mechanisms like TFA available, there's no reason
for organizations to verify users' identities using passwords alone. TFA
creates a two-layered mechanism that is almost impossible for an
attacker to bypass," said Parthiban Paramasivam, product manager at
ManageEngine. "Now that we've broken ground on TFA for Windows logons,
we're also working on adding contextual authentication that factors in a
user's geolocation, IP address, local time, and device, all to further
enhance IT security."
Highlights of ADSelfService Plus TFA for Windows Logons
ADSelfService Plus comes with a built-in logon agent for Windows, which
forces users to undergo TFA during both local and remote desktop logons.
Users have to first enter their Active Directory domain password and
then authenticate themselves using one of the supported second factors.
-
Supports multiple authentication mechanisms: Supports email and
SMS-based passcodes, Duo Security, RSA SecurID, and RADIUS as the
second factor of authentication.
-
Enables granularly-enforced TFA: Enforces TFA for all users
across an organization or only for select individuals - such as those
that have elevated privileges and are at higher risk of security
attacks - through OU and group-based policies.
-
Helps organizations comply with PCI DSS and the GDPR: Supports
compliance with the latest version of PCI DSS (3.2), which makes TFA
mandatory. The European Union Agency for Network and Information
Security (ENISA) recommends implementing TFA as a technical measure to
comply with the GDPR.
Pricing and Availability
Pricing for ADSelfService Plus with TFA for Windows starts at $1,195. A
fully functional, 30-day trial version is also available for download at www.manageengine.com/products/self-service-password/download.html.
ADSelfService Plus is free for up to 50 users. The Free edition supports
all the features of the Professional edition, including Windows TFA,
single sign-on, and password self-service, and can be downloaded at www.manageengine.com/products/self-service-password/download-free.html.