How can multi-factor authentication secure privileged user accounts?

While all user accounts must be authenticated before gaining access to enterprise resources, privileged user accounts are of the utmost priority because they pose the greatest risk of confidential data compromise. Multi-factor authentication (MFA) is an effective solution to help protect access to privileged user accounts as it enables additional authentication methods to be implemented besides standard password-based authentication. This eliminates the risk of system takeover due to password compromise. ManageEngine ADSelfService Plus offers MFA for machine, VPN, Outlook Web Access, and enterprise application logins, making it a well-rounded solution to secure privileged user authentication.

How to setup MFA for privileged user accounts using ADSelfService Plus

Step 1: Create a policy for privileged users

Create a self-service policy and select domains, groups, or OUs that the privileged user accounts are a part of.

Step 2: Configure authenticators for MFA

Configure stringent methods such as biometrics, Microsoft Authenticator, and YubiKey Authenticator, and select the policy created in Step 1. Configure settings such as the number of factors and authentication methods for each MFA type.

Step 3: User enrollment

Enable forced user enrollment, send enrollment notifications, or enroll privileged user accounts in the product by importing data from CSV files or databases.

Authentication methods supported for MFA for privileged users

1. Security Question & Answer
   
2. Email Verification
   
3. SMS Verification
   
4. Google Authenticator
   
5. Microsoft Authenticator
   
6. Azure AD MFA
   
7. Duo Security
   
8. RSA SecurID
   
9. RADIUS Authentication
   
10. Push Notification Authentication
    
11. Biometric Authentication
    
12. FIDO Passkeys
    
13. QR Code Authentication
    
14. TOTP Authentication
    
15. SAML Authentication
    
16. AD Security Questions
    
17. YubiKey Authentication
    
18. Zoho OneAuth TOTP
    
19. Smart Card Authentication
    
20. Custom TOTP Authenticator
    

Benefits of deploying MFA for privileged user accounts using ADSelfService Plus

• Granular configuration based on user privilege: Enable stringent authentication methods such as biometrics and YubiKey Authenticator for AD domains, OUs, and groups comprising of users with higher privileges.
• True MFA: Enable a maximum of three authentication factors apart from username and password authentication.
• Mandated product adoption: Ensure users, especially privileged user accounts, are secured by MFA by mandating them to enroll in the product, or bulk enroll all user accounts using external databases or CSV files.
• Automated conditional access: Automatically apply different self-service policies that enable or disable different levels and methods of authenticators based on factors such as time of access, IP address, geolocation, and device type.