---
locale: "en"
updated_at: "2025-10-27T13:30:15.284Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/end-users-mfa-enrollment/authenticator-application"
---

# Enroll users with an Authenticator Application

Enroll using an authenticator app like Authy or Google Authenticator.

## Introduction

This guide explains how to help end users activate and use Multi-Factor Authentication (MFA) on their smartphones with an authenticator app.

It describes the setup process and what users will experience during their first MFA login and subsequent authentications.

> **Note**
>
> 🚩 **Before following this guide:**
> We recommend reading [How to implement MFA](/userlock/docs/guides/mfa-implementation/how-to-implement-mfa) for general recommendations, communication tips, and preparation steps to ensure a smooth rollout.

## User prerequisites

Before starting enrollment:

1. Verify that the **smartphone’s date and time are correct**. It is best to set the phone to update automatically, otherwise, MFA codes may be rejected.
2. Make sure users know their **domain credentials**.
3. Advise users to have their **smartphone at hand** during their first connection.
4. Ensure users install a TOTP-based authenticator application on their smartphone.

> **Note**
>
> UserLock works with any TOTP-based authenticator.
> Below are some popular options:
> 
> - **[UserLock Push](/userlock/features/two-factor-push-notification)**
> - **Google Authenticator**
> - **Microsoft Authenticator**
> - **LastPass Authenticator**
> - **2FA Authenticator**
> - **Duo Mobile**
> - **Authy**

## Step 1. Enable MFA for the user

Before enrolling, make sure that **MFA is enabled** for the user account in UserLock.

> **Note**
>
> - See [Access policy management](/userlock/docs/reference/access-policies/access-policy-management) to learn how to apply an access policy in UserLock.
> - See [MFA policy reference](/userlock/docs/reference/access-policies/mfa) for details on MFA policy rules and options.

## Step 2. Enroll the authenticator app

When a user logs in for the first time after MFA activation, a **QR code dialog box** will appear.

![](https://a.storyblok.com/f/122374/846x599/fcecf07a50/1-multi-factor-authentication.png)

**The user must:**

1. Open the Authenticator app on their smartphone.
2. For example for Google Authenticator app, tap the multi-colored plus sign at the bottom right of the app. Select **Scan QR code **(or enter setting key).
3. Scan the QR code displayed on screen.
4. The app will generate a **6-digit MFA code**.
5. Enter this code into the UserLock dialog box and click **Verify and Continue**.

Once verified, the MFA setup is complete.

> **Note**
>
> - The dialog automatically adapts to the OS language (English, French, or Spanish).
> - The subtitle text is editable. View ⚙️ **Server settings > **[Messages](/userlock/docs/reference/parametres-serveur/messages)**.**
> - ⚠️ If the enrollment window does not appear, verify that the UserLock Desktop Agent is up to date and that MFA is required by the user’s access policy.

## Step 3. Authenticate

After the initial enrollment, MFA becomes a regular part of the user’s login process.
Each time a connection requires MFA, the user will be prompted to verify their identity with a time-based code from their authenticator app.

**Typical experience:**

1. User enters credentials.
2. The MFA prompt appears.
  ![Credential provider where the user can input a TOTP code](https://a.storyblok.com/f/122374/518x610/8d0d29f9e1/cred_prov_-totp_eng.png)
3. They open the authenticator app, read the code, and type it in UserLock’s dialog box.
4. Access is granted.

## Options

Administrators can adjust the MFA experience to fit their organization’s needs:

| Option | Description | Default |
| --- | --- | --- |
| Skip (N days left) | Allows users to temporarily bypass MFA enrollment. You can enable it per [policy configuration](/userlock/docs/reference/access-policies/mfa#skip-mfa-enrollment). | Disabled |
| Ask for help | Adds a button to request assistance during MFA setup. Enable it under  **Server settings > **[MFA.](/userlock/docs/reference/server-settings/mfa-settings#ask-for-help-button) | Disabled |
