Enabling MFA for password reset and account unlock

    MFA for password reset and account unlock in ADSelfService Plus adds an additional layer of identity verification during self-service actions.

    Enabling MFA for self-service operations helps prevent common security incidents, such as:

    Compromised credentials during phishing attacks: If an attacker obtains a user’s password through phishing, MFA prevents them from resetting the password or unlocking the account without access to the additional verification factors.

    Abuse of self-service portals from unattended or shared devices: In environments such as kiosks or shared workstations, MFA ensures that only the rightful user can perform account recovery actions.

    Brute-force or automated reset attempts: MFA significantly reduces the success rate of scripted or automated attacks aimed at exploiting password reset and unlock workflows.

    Prerequisites

    Before configuring MFA for password reset and account unlock, ensure the following requirements are met:

    • Required authentication methods are enabled and configured.
    • At least one self-service policy is created with password reset and/or account unlock enabled.
    • The Professional edition of ADSelfService Plus is required to use advanced authenticators for MFA.

    Configuration instructions

    1. Log in to ADSelfService Plus with administrator privileges.
    2. Navigate to Configuration > Self-Service > Multi-Factor Authentication > MFA for Reset/Unlock.
    3. From the Choose the Policy drop-down, select the policy to which the MFA settings should apply.
    4. Under MFA for Password Reset, specify the number of authentication methods to be enforced and select the required authenticators.
    5. Under MFA for Account Unlock, specify the number of authentication methods to be enforced and select the required authenticators.
    6. (Optional) Click the asterisk (*) next to an authentication method to mark it as mandatory. You can also reorder the authenticators to define the verification sequence.
    7. Click Save Settings.
    8. (Optional) Click Advanced and navigate to the Reset/Unlock MFA tab to configure additional options such as idle time limits, trusted devices, and other related settings.

    Tips

    • Enforce at least two authentication methods for high-risk user groups, such as privileged accounts.
    • Use mandatory authenticators for critical identity checks to prevent users from bypassing stronger verification methods.
    • Periodically review and update MFA policies to align with evolving security requirements.