Multi-Factor Authentication (MFA)
Understand how UserLock implements Multi-Factor Authentication (MFA) to secure every logon and provide full administrative control over authentication methods and policies.
UserLock’s Multi-Factor Authentication (MFA) adds an extra layer of security to all logon processes, ensuring secure access even if credentials are compromised.
MFA can be enabled for any user, group, or organizational unit (OU) and applied granularly depending on:
the session type (local workstation, RDP, RemoteApp, VPN, web via IIS, or SaaS via SSO),
the connection type (local, remote, from outside),
and the frequency with which MFA is requested.
Note
💡 More than MFA:
Unlike standalone MFA tools, UserLock combines MFA with contextual access controls, including time, machine, location, and session restrictions, for fine-grained, conditional protection.
UserLock supports multiple MFA methods that can be enabled or disabled globally, allowing you to control which methods are authorized in your environment.
✅ Push notifications | Push notifications and TOTP codes via the UserLock Push mobile app, which also supports biometric validation. | |
✅ Authenticator App (TOTP) | Standard authentication apps such as Google Authenticator, Microsoft Authenticator, or Authy. | |
✅ Programmable USB tokens | Hardware tokens that store a TOTP secret and generate time-based rotating codes. | |
✅ HOTP USB tokens | Hardware tokens that generate event-based one-time passwords (e.g., YubiKey 5 Series, Token2 HOTP). | |
✅ Recovery codes | One-time backup codes for emergency use when the registered MFA method is unavailable. |
Note
UserLock is compatible with many token brands (YubiKey, Token2, and others) as long as they support the standard HOTP or TOTP algorithms.
FIDO2 integration is on the roadmap and will extend UserLock’s hardware-based authentication options in future releases.
SMS or Email codes are not supported because they rely on external communication channels that can be intercepted, spoofed, or delayed (e.g., SIM-swapping, phishing). These methods do not meet UserLock’s security standards.
Each type of session or connection requires specific UserLock components for MFA to function correctly.
This section helps you identify what needs to be installed or configured depending on the use case.
Use case | Description |
|---|---|
Workstation / RDP / RemoteApp | MFA requires the Desktop Agent, which communicates with the UserLock server and displays MFA dialogs during local or remote logons. |
Web applications (IIS) | MFA on IIS-hosted apps such as RD Web, OWA, or SharePoint requires the IIS Agent and the IIS MFA application. These components also provide the web enrollment page. |
VPN connections | MFA for VPN access requires the NPS Agent. Optionally, VPN Connect can be used to combine VPN login and MFA enrollment in a single interface. |
Remote / off-network users | For users outside the corporate network, the Desktop Agent must be combined with UserLock Anywhere to allow MFA challenges and enrollment over the Internet. |
Single Sign-On on SaaS applications | MFA is applied during SAML authentication when using UserLock SSO, ensuring consistent MFA rules for cloud applications. |
Note
ℹ️ Tip:
The components listed above describe what’s required for MFA to function, not the technical prerequisites for installation.
To view supported operating systems, agent prerequisites, or enrollment availability by use case, refer to the Requirements page.
Administrators can fine-tune MFA behavior and user options from Server Settings ▸ MFA.
These settings define how MFA methods are offered, how users interact with them, and how support is handled.
Select allowed MFA methods: helps standardize user experience and simplify support.
Allow recovery codes: Enable fallback codes for users who lose access to their MFA device
Enable “Ask for Help”: Let users contact IT directly from the MFA dialog if they’re blocked.
Edit MFA messages: Customize the texts displayed to users to match your organization’s language and tone.
Note
👉 See the MFA settings reference page for detailed configuration parameters.
MFA is applied through Access Policies, which define when, how often, and for whom MFA is required.
Administrators can:
Apply MFA by user, group, or organizational unit (OU).
Set different rules for each session type (workstation, server, VPN, IIS, SaaS, etc.).
Adjust connection type (local, remote, external).
Control MFA frequency (every logon, daily, based on IP changes, etc.).
Enable Skip configuration, allowing users to postpone enrollment for a limited period (useful for onboarding or phased rollouts).
See the Access Policies – MFA page for the detailed list of available parameters and their impact.
Once MFA is enabled, users can enroll easily at their next logon, whether they are on-site or remote. MFA enrollment is simple and guided by clear on-screen instructions and QR codes.
Administrators can make onboarding easier by:
Allowing users to skip enrollment temporarily, giving flexibility during rollout.
Enabling Ask for Help so users can reach IT directly if they encounter issues.
Note
💡 To assist your users, detailed guides are available for every authentication method:
Once MFA is deployed, UserLock makes it simple for administrators and helpdesk teams to manage daily operations directly from the UserLock console without disrupting users.
Common administrative tasks include:
Reset MFA keys: when users lose or replace their authentication device.
Temporarily disable MFA: for troubleshooting or exceptional access situations.
Review enrollment status: monitor which users have enrolled and which methods they use.
Handle help requests: respond to notifications triggered by the “Ask for Help” button and assist users directly.
Audit and reporting: view MFA activity in logs and reports for compliance or forensic purposes.
You now have a full understanding of how MFA works in UserLock, from configuration to user experience and ongoing management.
To help you take the next step, the How to implement MFA guide walks you through:
Planning your deployment and communicating with users
Choosing authentication methods that fit your environment
Setting up enrollment and onboarding strategies
Rolling out MFA in phases
Supporting users and monitoring adoption