[Tips & Tricks] How to enable two-factor authentication for Windows logons using ADSelfService Plus?

With cyber-attacks on the rise, only having passwords as a defense mechanism is no longer safe. An additional filter is required to weed out unauthorized users. ADSelfService Plus handles the above issue by supporting two-factor authentication (TFA) to all Windows local and remote login attempts. Once this feature is enabled, users will be required to input their Active Directory domain credentials, and additionally get authenticated via the selected TFA method configured in ADSelfService Plus.

Prerequisites:

1. SSL and TFA must be enabled in ADSelfService Plus.

2. GINA/CP Client Software must be installed on client machines. Make sure that the client software is installed through GINA/Mac Installation console.

Steps to be followed to enable two-factor authentication during Windows logons:

1. Log in to the ADSelfService Plus web console with admin credentials.

2. Navigate to Configuration > Administrative Tools > GINA/ Mac (Ctrl + Alt + Del) > Windows Logon TFA.

3. Select the Enable Windows Logon TFA option.

4. By default, the Bypass TFA if ADSelfService Plus is down checkbox is selected when you enable Windows Logon TFA. If this option is not selected, users would not be able to access their machines when ADSelfService Plus is not accessible.

5. Click Save.

Here's a GIF of how Windows Logon TFA works: