While we recommend using RADIUS and incorporating your directory in any authentication process using NPS etc. sometimes, that doesn't work. An example is when you are trying to add two-factor authentication for non-console administrative access in Windows. (It can be done in Linux using pam-radius for sudo.) And this is a big hole as it allows pass-the-hash attacks in Windows environments and it's now a requirement for PCI-DSS 3.2 and for many cyber-insurance policies. Many two-step authentication systems don't actually protect from pass-the-hash attacks.
WiKID plugs this hole with our Native AD 2FA protocol. To use it, a special WiKID domain is created that pushes the passcode to AD as the user's password before sending it to the user's WiKID software token. The user logs in with the WiKID passcode and at the passcode expiration (which is configurable) the WiKID server over-writes the passcode with a long random string. This means that if an attacker has compromised the machine an admin is logging into, they would need to pass-the-hash in real time. If they were using RDP, the logged-in admin would see the attackers session request! Once the passcode is expired, the hash is no longer valid.
Note that the protocol also can be used as a password reset for regular Windows users. Isn't using 2FA better than security questions or a helpdesk call?
There is no software to install on the Windows clients or on the domain controller. It is much cheaper than implementing smart-cards. It is a simple, inexpensive, elegant solution that greatly increases the security of Windows environments.
Download the free Evaluation of the WiKID Strong Authentication Server today!
Please note that this solution is very non-invasive to your AD configuration! It doesn't require any changes to your AD server (except for requirements like the CA role). It will not affect any users at all until they request an OTP from the WiKID server, which triggers their password to be overwritten. To 'remove' a user, just change their password manually.