In enterprise networks, user identity verification is no longer carried out simply through usernames and passwords. This is because without additional authentication layers, i.e., multi-factor authentication, enterprise networks and resources become easy prey to credential-based attacks. This is why, in the current technological landscape, multi-factor authentication has become a mandatory part of every organization's authentication system.
A time-based one-time-passcode (TOTP) is a prevalent authentication method used for MFA. Zoho OneAuth, a multi-factor authenticator solution, offers a mobile-based TOTP authenticator for social and enterprise accounts. When implemented, the Zoho OneAuth OTP authenticator generates verification codes every 30 seconds, and users will have to enter the verification code within that time to complete authentication. In combination with credentials and other authentication methods such as biometrics, the TOTP authenticator proves to be a viable barrier against unauthenticated access.
Achieve holistic enterprise MFA with Zoho OneAuth
ManageEngine ADSelfService Plus supports the Zoho OneAuth OTP authenticator as a method to implement MFA during enterprise application logins along with:
- Local and remote Windows, macOS, and Linux logins.
- Microsoft Outlook Web Access and Exchange logins.
- Self-service password reset and account unlock.
Furthermore, implementing enterprise MFA with ADSelfService Plus provides the following benefits:
- Granular configuration: Implement MFA using particular authenticators for users belonging to specific groups, OUs, and domains.
- Adaptive MFA: The solution offers provisions to heighten, relax, or skip MFA during authentication based on IP address, time of access, geolocation, and device used.
- Detailed audit reports: Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
- Ensure 100% enrollment: Automate user enrollment by importing users' domain information through CSV files or force enrollment using login scripts.
Prerequisites:
- SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
- Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
- Endpoint MFA: Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase the feature. (Applicable to MFA for machine and OWA logins)
- Install the ADSelfService Plus login agent: Click here to install the ADSelfService Plus login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. (Applicable to MFA for machine logins)
- Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
From the Choose the Policy drop-down, select a policy.
Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups and choose the OUs or groups to which you want to apply the policy. You need to select at least one self-service feature. Finally, click Save Policy.
- Click Zoho OneAuth TOTP.
Click the Enable Zoho OneAuth TOTP button.
Enable Zoho OneAuth TOTP-based MFA for enterprise application logins
Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Applications.
Select a policy from the Choose the Policy drop-down.
- In the MFA for Cloud Applications section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
- Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
- Click Save Settings.
Step 2: Install the ADSelfService Plus MFA Connector
The Internet Information Services MFA extension must be installed in Exchanger Server to enable MFA for OWA and Exchange admin center logins. It triggers the request for the completion of other authentication factors after the primary password authentication is successful.
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
- Navigate to MFA for OWA and click on the help icon.
- Download the ADSelfService Plus MFA Connector from the pop-up that appears.
- Copy the extension file (AdsspOWAIISModule.zip) to the Windows server that you have configured as the Exchange server. Extract the ZIP file’s content and save it in any location.
- Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files is located.
- Execute the following command: PS C:\> .\setupIISMFAModule.ps1 Install