IS Decisions logo

IS Decisions Blog

Multi-factor authentication for remote work

Secure machine, network, and cloud access, when users work remotely.

Published August 20, 2021
Multi-factor authentication for remote work

Whenever users work remotely from outside the domain, UserLock can continue to protect access to machines, on connections back to the network and with direct connectivity to cloud-based resources.

Add multi-factor authentication (MFA), access management and single sign-on (SSO) for all Active Directory (AD) user identities, wherever they are used.

Offline MFA on any domain machine without internet access

Thanks to the UserLock agent, you automatically benefit from offline MFA. So you can secure AD identities for remote workers, even when they don't have an internet connection.

How to implement MFA

MFA on remote machine login, without the need to connect to VPN or to the network

If remote employee laptops are not secured properly, they can provide entry points for malicious threats. UserLock continues to secure computer logins on remote machines, even when there is no secure VPN connection to the corporate network.

1. Secure access for remote workers who aren't connected to a VPN

With remote working, users do not always connect to a VPN. But it's still important to secure those logons. That's why we created a web app, UserLock Anywhere for UserLock subscribers.

UserLock Anywhere allows the UserLock agent installed on a machine to stay in contact with the UserLock service through the internet. So, you can rest easy knowing your MFA and access management policies continue to be enforced on login for any user, regardless of what (managed) machine the user is remotely working on.

Video thumbnail

How to set up UserLock Anywhere

2. Secure access for remote workers who aren't connected to the network

Even if UserLock Anywhere isn't enabled, the UserLock agent can still manage an off-domain access attempt on a machine where it's installed.

Administrators can configure UserLock to always allow, always deny, or request MFA for all offline, or off-domain connections. An option to "Force MFA" will deny access for users who are not yet enrolled in MFA.

SRA logons without connection

How to manage logons without a network connection

Secure corporate network access from outside the domain

Having a large number of users working outside the corporate network has increased security risks. Cybercriminals, especially ransomware creators, are keenly attuned to remote access vulnerabilities. UserLock is compatible with different types of remote connections.

1. Apply MFA to VPN connections

A VPN works by establishing encrypted connections between devices that remain private even if they stretch across public internet infrastructure.

UserLock’s MFA for VPN sessions supports the Remote Authentication Dial-In User Service (RADIUS) Challenge. The RADIUS Challenge can prompt for the one time password in a separate second step, after the user has successfully entered their login credentials.

  • VPN solutions that support “RADIUS Challenge” include Open VPN, Palo Alto, Fortinet, Pulse Secure Connect SSL...

SRA open VPN

Easy MFA for VPN

2. Apply MFA to Windows RDP connections and Remote Desktop Services (RD Gateway)

The Microsoft Remote Desktop Protocol (also known as RDP) is used to allow remote desktop to a computer. Remote Desktop Gateway (RDG or RD Gateway) is a Windows server role that enhances control by providing a secure encrypted connection to the server via RDP.

With UserLock MFA, administrators can define under what circumstances MFA is asked for these different RDP connections.

SRA MFA offdomain
  • Administrators can first customize MFA on RDP logins based on whether an end-user is connecting to another machine from inside the network or from logons that originate from outside the corporate network.

  • Administrators can then choose to consider RDG connections as coming from inside or outside the network and define the circumstances for MFA.

MFA for RDP & RD Gateway

Remote MFA enrollment

UserLock allows for several possible ways to enroll MFA on users who are working remotely outside of the corporate network.

3. Apply MFA to Remote Desktop Web Access (RD Web Access)

RD Web Access is a way to connect to a remote desktop server and access Remote Desktop Services over the Internet without a VPN connection.

The RD Web connection component installs the necessary web pages and scripts to the Internet Information Services (IIS) server directory, giving users the Web page interface for their remote desktop. Users need just their AD credentials, a URL and a supported web browser to access desktops and applications.

With UserLock MFA for IIS, administrators can target any one or several web applications that need a second factor of authentication.

  • UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.

  • The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA before access to the IIS application is granted.

How to apply MFA for RD Web

4. Apply MFA on Outlook Web Access for Microsoft Exchange Server

Outlook Web Access (OWA) allows users to access their own corporate mailbox over the internet- from outside the corporate domain without having to log into a VPN.

With UserLock MFA for IIS, a second factor of authentication can be added to OWA connections as Exchange applications are supported by an IIS server.

  • UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.

  • The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA on all access to users email.

How to apply MFA for OWA

Note: UserLock can also protect Exchange Online (available as a standalone service or part of Office365) with MFA. See cloud-based resources.

5. MFA on Microsoft DirectAccess and AlwaysOn VPN

DirectAccess allows connectivity for remote users to organization network resources without the need for VPN connections. With DirectAccess connections, remote client computers are always connected to your organization there is no need for remote users to start and stop connections, as is required with VPN connections.

AlwaysOn VPN the replacement for DirectAccess automatically establishes a VPN connection any time an authorized client has an active Internet connection.

Both of these methods help secure the machine’s remote connection. Unlike a traditional VPN there is no prompt for user credentials.

Therefore with UserLock, MFA can continue to be prompted when the remote user is asked to identify themselves.

Secure and direct access to cloud-based resources

Organizations want remote users to have stronger security on their direct connectivity to cloud resources. Direct access can reduce the load on the network and improve user experience, but often at the expense of security.

Rather than backhauling these applications through the core network UserLock enables MFA combined with single sign-on (SSO) for secure and direct connectivity to cloud based applications.

By retaining Active Directory (AD) as the Identity Provider, UserLock SSO allows each user to log in only once - with their existing AD credentials. Combined with granular MFA, this ensures a second factor of authentication can be added to verify the identity of users, before they access the cloud.


1. Access via a browser for users already authenticated to the Windows network

Access is immediately granted. UserLock SSO asserts the user’s identity to the cloud application and is authenticated without the user having to log in to the application. There is no difference whether inside the corporate network or working remotely.

(MFA can be requested again if required in the admin settings).

2. Access via a browser for users who are not authenticated to the Windows network

The user enters their corporate email address in the cloud application to login. UserLock SSO will then prompt the user for Windows domain login credentials (and a second authentication factor if enabled). The user is logged in successfully and redirected back to the application. There is no difference between a smartphone browser, a computer browser or a mobile app.

(MFA can be requested again if required in the admin settings).

3. Any attempt to then access a second, different cloud application

Access is immediately granted. Multi-factor authentication can however be requested at each logon if required in the administrative settings.

Boost security with access management

Once authenticated, contextual login restrictions and remote session management help further secure AD identity and secure remote access to all resources.

1. Restrict remote access to authorized machines

UserLock can restrict VPN access to just authorized company machines. Any other access attempt from any other machine is then denied.

Workstation restrictions

2. Restrict remote access to certain countries

The geolocation restriction allows an administrator to restrict remote logons based on country (geolocation). The restriction will disallow/allow logons from a list of selectable countries.

Geolocation restrictions

3. Enforce logoff times and working hours

The rapid adoption of home working has meant many organizations can no longer apply time policies for network logons to reduce security risks or reduce unauthorized overtime.

UserLock Anywhere can continue to apply these restrictions even if the machine is outside the corporate network. The UserLock agent remains in contact with the service and can force the user to logoff if they have exceeded the working hours allowed.

Hours restrictions

"With remote access quickly becoming the rule rather than the exception, UserLock helps administrators alleviate the increased risk to security by protecting against inappropriate or suspicious access."

Francois Amigorena - CEO of IS Decisions

Secure remote access

Straightforward MFA for remote access.

Download a free trial