Windows domain 2 Factor Authentication (2FA)

Windows domains and Active Directory (AD) makes it easy for administrators to control a large number of business PCs and devices from a central location. Today, a huge percentage of enterprises continue to rely on Windows domain AD to manage assets, users, systems, policies, profiles, and rights. Given that, it’s increasingly important to protect user account access with Windows domain 2-factor authentication.

Why? Even after all these years, the consistency, centralized management, and scalability of a Windows domain mean it continues to live at the center of a company’s IT infrastructure, but it doesn’t mean it can’t be enhanced. Take the security of Active Directory user credentials. Over 80% of hacking-related breaches involve the use of lost or stolen user credentials. Using only a strong user name and password doesn’t cut it anymore. Your Active Directory password can be cracked in 5 minutes or less!

2FA with Active Directory

UserLock is a security solution aimed at protecting Windows domain AD with two factor authentication (2FA) and contextual access restrictions.

Enabling 2FA for endpoints across a Windows AD domain is extremely difficult to put together without third party software. Additionally, the complexity increases as more and more businesses extend their architecture outside of traditional perimeters, meaning many more users are dependent on Remote Desktop (RDP) connections and Virtual Private Network (VPN) access.

With UserLock, 2FA for endpoints is very easy across all session types, including Windows logins, RDP connections and VPN sessions

1. To start, it’s easy to deploy UserLock software right alongside Active Directory and distribute a light agent across all devices you want to protect. An automated deployment engine makes it easy even for larger user bases. (With no modifications to AD accounts, its structure or its schema.)

2. Next, simply look-up and add Active Directory users via a wizard. You don’t have to add accounts individually; you can look-up and add Active Directory groups or organizational units that you want to protect with 2FA.

3. Once you’ve enrolled a user in 2FA, the user will receive a prompt on their next login to install an authentication application or to use a hardware-based token, such as YubiKey or Token2. At subsequent logins requiring 2FA, users will first enter their password, then receive either a push notification or a prompt with a dialog box for a validation code.

4. To determine exactly how, when, and where to prompt the user for a second factor, administrators define granular circumstances for just one individual or easily scaled across groups of users.

Admins can set up how much time users have to complete self-enrollment. While the process is extremely simple, a flexible on-ramp gives users the opportunity to “ask for help” from an administrator any time during the process.

So, in just a few short steps, you can add 2FA to bolster login security across your Windows domain.

Superior Windows domain 2-factor authentication (2FA) with restrictions and visibility

In addition to 2FA, UserLock also offers a multitude of other options as to how to better protect login access. You can configure device restrictions, time restrictions, and geolocation restrictions or even limit the number of simultaneous connections.

These type of contextual access restrictions offer customized policies beyond what is natively capable in Active Directory, to further protect login credentials and help avoid prompting the user for 2FA each time they log in.

An extremely powerful part of the UserLock solution is also the visibility, auditing, and reporting that you get. You can see in great detail how users are conducting themselves throughout various login sessions. If you find suspicious activity on any specific account, an administrator can choose to block the user or close certain connections that a user may currently have, directly from the UserLock console.