QR code-based authentication is a type of multi-factor authentication method that involves scanning a QR code with an app in order to verify one's identity. When authenticating into a service using MFA, users need to provide their account credentials upon validation of which a QR code will be displayed. Users simply need to scan this code using the authentication app on their mobile device. As scanning the code takes mere seconds making this a quick and simple method, it is widely employed for a variety of identity verification applications.

A much-needed implementation of QR-code based MFA would be during the Active Directory user actions. By default, domain logins and self-service actions like password reset and account unlock only require users to enter their domain account credentials. Including QR-code based authentication provides a boost of security that is essential during such sensitive actions. A perfect solution would be a product that features self-service actions like password reset, account unlock, and directory self-update that are secured by QR-code based authentication and other MFA methods.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, is one such product. Its MFA feature secures not just self-service actions but also:

1. Windows, macOS, and Linux logins.
   
2. Enterprise application logins through single sign-on (SSO).
   
3. Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.
   

QR code-based authentication for MFA can be enabled with minimal steps in ADSelfService Plus

1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
   
2. From the Choose the Policy drop-down, select a policy.
   Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected.
3. Click QR Code-based Authentication section.
   
4. Select Enable QR Code-based Authentication.
   

Note: Users need to download the ADSelfService Plus iOS or Android mobile app to use this authentication technique.

Enable QR code-based authentication for Active Directory password resets

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock.
   
2. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select QR Code Based Authentication along with the other authentication techniques to be used.
   
3. Click Save Settings.