The Protectimus DSPA component for Active Directory two-factor authentication regularly changes users’ passwords in AD. The administrator specifies the password change interval. In this system, passwords are composed of two parts: a static part (specified by the user) and a dynamic part (a one-time password generated using the TOTP algorithm). The resulting passwords look like this: P@ssw0rd!459812.
The Protectimus DSPA component for Active Directory security and Protectimus two-factor authentication platform are installed on the client’s premises. You can manage all the data and processes yourself to ensure the maximum level of infrastructure security. The Protectimus on-premise platform is designed for multidomain environments. It also offers cluster, replication, and backup features.
Unlike traditional MFA solutions, Protectimus DSPA frees administrators from the need to install additional software on client machines and update it periodically. After integrating the Protectimus DSPA component with Active Directory, multi-factor authentication passwords will automatically be required to log into all systems connected to Active Directory MFA (Winlogon, RDP, OWA, etc.).
What problems does Protectimus DSPA solve?
1. Existing MFA solutions protect only part of the Infrastructure
All standard MFA solutions add two-factor authentication only to endpoints. This leaves hackers a chance to attack your infrastructure bypassing two-factor authentication and calling your user directory straightforward. For example, it’s possible to call Active Directory via the Windows command line, and it’s enough to know user login and password to perform an action on their behalf. Using Protectimus DSPA to enable system protection, you can be certain that nobody will have access to AD, LDAP or user accounts in your database without a dynamic password, no matter where the request comes from or is directed.
2. Administrators need to install and support 2FA plugins on multiple platforms
Now, to configure two-factor authentication for all employees and all the services that the company uses, the administrator must implement several 2FA plugins for different platforms and install additional software on each client machine. Moreover, all this software needs to be constantly updated. After integrating the Protectimus DSPA component with Active Directory, 2-factor authentication dynamic passwords will be required on all services connected to AD (Winlogon, RDP, ADFS, OWA, etc.).
How does it work?
Protectimus integrates directly with Microsoft Active Directory (or any other user directory) to add a six-digit password onto users’ static passwords. The six digits are a one-time password generated using the TOTP algorithm, so they constantly change. Active Directory users’ and computers’ passwords now look like this: P@ssw0rd!459812, where P@ssw0rd! is the fixed part, and 459812 is a one-time password.
The administrator sets the one-time password change interval, which can be 30 seconds or longer. The interval must be a multiple of 30 seconds. The Active Directory change password frequency can be set individually for each user. It is also possible to choose which groups of users are required to use Protectimus Dynamic Strong Password Authentication (DSPA) and which are not. The Protectimus DSPA component regularly changes users’ passwords on the schedule set by the administrator. In this process, only the six final digits are changed.
Thus, Active Directory user authentication looks like this: users can gain access to their accounts by entering their fixed passwords and the one-time code all in one go. To generate OTPs, users can use the in-app one-time password generator Protectimus SMART; a chatbot on Telegram, Viber, or Facebook; or special hardware tokens for Protectimus DSPA.
