---
locale: "en"
updated_at: "2026-03-02T09:19:31.991Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/reference/access-policies/mfa"
---

# Multi-factor authentication

Rules controlling MFA application and bypass.

## Typical use cases

- Enable MFA flexibly across any scenario — whether for all users, all administrators, privileged accounts, or specific user groups.
- Apply stricter MFA rules for external connections (such as VPN or RDP), and lighter ones for workstation logons.
- Allow users to log in seamlessly on their usual workstation but require MFA when connecting from a new IP.
- Combine MFA with other restrictions (time, machine, geolocation) for layered access control.

![](https://a.storyblok.com/f/122374/854x883/c2156ff4d8/mfa-all-every-logon.png)

## Key points to know

- MFA policies can be applied at the **user**, **group**, or **organizational unit (OU)** level.
- MFA status and configured methods for each user can be reviewed in the [User dashboard](/userlock/docs/reference/activity#user-dashboard) and the **Environment ▸Users** view.
- Available MFA methods (push, authenticator app, USB keys, recovery codes, etc.) are configured separately in the [Server settings ▸ MFA](/userlock/docs/reference/server-settings/mfa-settings).
- Messages shown to end users (configuration, errors, help requests) are configured separately in the [Server settings ▸ Messages](/userlock/docs/reference/server-settings/messages).
- A dedicated MFA report is available in the [Reporting](https://isd-website-next-git-staging-isdecisions.vercel.app/en/userlock/docs/reference/reporting) section.
- [MFA help requests](/userlock/docs/reference/activity#mfa-help-requests) (if enabled) appear in the **Activity ▸ MFA Help Request** page.

## Policy options

### Connection type

Define how often MFA is required:

|  |  |
| --- | --- |
| All | Enforce MFA on both local and remote sessions. |
| Remote | Enforce MFA only on remote sessions (RDP, VPN, IIS, SaaS). |
| From outside | Enforce MFA only on remote sessions originating from an external IP address. |
| Apply parent value | Inherit the rule from the parent group or OU policy. |

### MFA frequency

You can define how often MFA is required for a user:

|  |  |
| --- | --- |
| At every logon | Prompt on every logon, unlock, or reconnection. |
| At the first logon of the day (once per IP address) | Prompt once per day, unless the IP changes. |
| When logging on from a new IP address (once per address) | Prompt the first time a new IP address is used. |
| After a given time since last MFA connection (per IP address) | Prompt again after the defined delay. |
| After a given time since the last logon (per IP address) | Prompt again based on time since last logon. |
| Never | MFA is never enforced. |
| Not configured | No rule, unless inherited from a parent policy. |

### Granularity

You can apply the same rule to all session types or define **distinct rules per type**.

![](https://a.storyblok.com/f/122374/842x669/e93a8a5912/mfa-outside-distinct-first-logon-day.png)

### Skip MFA enrollment

Administrators may allow users to **skip MFA enrollment** until a specific date to ease onboarding. After this date, login is denied until MFA is configured.

*This option is supported for interactive and IIS sessions (as well as VPN if UserLock VPN Connect is used).*

![](https://a.storyblok.com/f/122374/840x366/d7d9805e33/mfa-skip-until.png)

## Configured policies

All defined MFA policies can be viewed under the **Access Policies > Multi-factor authentication** page. 

![](https://a.storyblok.com/f/122374/1679x628/ecf6a6f67d/mfa-table.png)

## See also
