Protect AD Credentials

Protect AD Credentials

Authentication can be performed against the user’s AD credentials or by using dedicated Lync or SharePoint credentials that the user creates on the access portal (different from their AD credentials).

The dedicated Lync or SharePoint login option offers a high level of security as AD credentials are not stored on the mobile device. This approach is also useful for organizations that use smart cards for network access.

Many organizations are concerned about the possibility that employees’ smartphones will end up in the wrong hands due to loss or theft and, therefore, require that employees avoid using and storing Active Directory credentials. While these devices are used in a non-managed environment connecting through public Internet WIFI networks, the risk that AD credentials will be hacked is a serious threat. Users who install applications or connect their device to different networks unintentionally expose the company’s IP.

With MobilityShield, users can safely connect from external networks without compromising the organization’s network. This is done by creating a dedicated user name and password that can be used only for Lync and SharePoint. If the credentials are stolen, further damage is prevented. Moreover, a hacker who tries to use the TFA mechanism of MobilityShield will be blocked.

Highlights

  • High security level
  • Active Directory (AD) credentials are not stored on the mobile device
  • Safely connect from external network
  • Dedicated user name and password
  • Avoid using Active Directory credentials on mobile devices

Creating dedicated Lync & SharePoint credentials

To create dedicated Lync and SharePoint credentials, users have to log into the self-service access portal. Moreover, the self-service portal also supports smart card log-in policy, just as it is done from a network desktop computer.

Once users log in, they have to create specific Lync or SharePoint credentials, different from their regular Active Directory credentials. Users can connect their devices within a limited time (default of 15 minutes) to add the Two Factor Authentication by registering the device with the user.

Users have to enter the Lync or SharePoint credentials on the device and will not be required to provide their Active Directory credentials again. This approach resembles the ADFS approach, but is simpler, with fewer prerequisites.

AD