---
locale: "en"
updated_at: "2026-01-20T11:14:30.420Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/support/faq/mfa"
---

# Multi-Factor Authentication (MFA)

Learn about MFA setup, enrollment, and authentication behavior.

## Which different MFA methods does UserLock support?

See the [multi-factor authentication reference](/userlock/docs/reference/modules/multi-factor-authentication#supported-authentication-methods) page for more information.

## Can I apply MFA for users who are outside the local network?

Yes, you can require MFA for users logging on to a domain machine, even when the machine is not connected to the local network.

This requires that the user has already enrolled with MFA and authenticated with MFA on that machine. Note that users cannot enroll with MFA on a machine that is not connected to the local network.

For more details on this feature and how to configure it, see [here ](/userlock/docs/reference/server-settings/general#logons-without-userlock-connection)in the section “Logons without UserLock connection”.

## Can I customize the on-boarding MFA messages?

Yes, you can customize the message for TOTP authentication. This can be done in the "Server properties" menu, on the "Messages" section.
You can give users special instructions when the QR code asks them to scan. For example, if you’ want your users to use a specific application, tell them by changing the text in the “QR code” section:

![](https://a.storyblok.com/f/122374/1806x606/3fe490559b/customize-message-qr-code.png)

## Which authenticator applications are compatible/recommended for the MFA ?

Any authenticator application that allows the user to scan a QR code (or manually enter an MFA key) is compatible for TOTP authentication.

We recommend using an application that locks even when the phone is unlocked to enhance security. LastPass and Microsoft Authenticator provide this feature.

This is a list of commonly used authenticator applications. (But not an exhaustive list of all compatible applications):

- UserLock Push
- Microsoft Authenticator
- LastPass Authenticator
- Google Authenticator
- 2FA Authenticator
- Duo
- Authy

## What if my users lose their token ? How can they connect?  

If a user loses their token, and has not configured a backup MFA method, then the administrator will need to temporarily disable the MFA until they have found or replaced the token. Another option is to reset the MFA key and allow the user to configure using an authentication application such as Microsoft Authenticator.

As a best practice, you should apply the option that enforces a user to configure an alternative authentication method. For more details on how to configure this setting, you can consult the following FAQ: “**Can users have a backup MFA method?**”

## How do I reset an MFA key for a user who has lost/replaced their phone?

There are several ways to reset an MFA key in the UserLock console.

1. If a user clicks the “Ask for help” button when trying to log in, you can reset the MFA key in the “MFA Help requests”.
2. In the "Audited users" view, select a user account, then "Reset MFA key".
3. In the "Connected users" view, select a user account, then "Reset MFA key".

## Why do my users get the message “This code is invalid” when entering their MFA code?

This error occurs when there is a **time or counter mismatch** between the MFA device and the UserLock server.
The cause depends on the MFA method used:

- **Authenticator app (TOTP):** time drift
- **USB token key (HOTP / YubiKey): **counter drift

### Authenticator app (TOTP) — time drift

This usually means there is a **time synchronization issue** with the smartphone, the workstation, or the UserLock server.

#### If it affects only one user

1. Make sure the phone is set to **automatic date/time** (Internet time).
2. If the workstation was offline, ensure Windows time is synchronized.
3. Then retry MFA.

#### If it affects many users

This is likely a time synchronization issue on the **UserLock server and/or Domain Controllers**.

1. Check time drift (run on the UserLock server, then on each DC if needed):
  ```
  w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5
  ```
  ![](https://a.storyblok.com/f/122374/604x123/0d3a6f4512/1-time-synchro.png)
2. If drift is confirmed, reset Windows time sync (example):
  ```
  w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
  Stop-Service w32time
  Start-Service w32time
  ```
  ![](https://a.storyblok.com/f/122374/845x211/d32a7358cf/3-time-synchro.png)
3. Then retry MFA.

### USB token (HOTP / YubiKey) — counter drift

With HOTP, each press of the token advances an internal counter. If the workstation is offline, UserLock cannot track these counter increments, and the token can become desynchronized.

If the token is used offline more times than the **MaxHotpCodeCount** advanced setting (default: 6), the token becomes out of sync and **MFA enrollment must be redone**.

#### How to reduce desynchronization

- Log in online from time to time (with a connection to the UserLock server) to allow automatic resynchronization.
- For remote users, deploying [UserLock Anywhere](/userlock/docs/reference/modules/userlock-anywhere) helps maintain communication between UserLock agents and the UserLock server and reduces offline HOTP usage.

#### Workaround: increase the allowed offset

You can increase **MaxHotpCodeCount** in the advanced settings. As a starting point, set it to **20**, then adjust based on real user behavior (nomadism, frequent lock/unlock, repeated MFA prompts).

####

## Which tokens are supported by UserLock MFA ?

The following tokens are supported by UserLock since UserLock 11.0:

- [YubiKey 5 series](https://www.yubico.com/fr/store/#yubikey-5-series)
- [Token2 T2F2 ALU](https://www.token2.com/shop/category/userlock-compatible-keys)
- [Token2 Programmable Tokens](https://www.token2.com/shop/category/programmable-tokens)
- [YubiKey FIPS Series](https://www.yubico.com/products/yubikey-fips/)

## What types of connections can UserLock protect with MFA ?

See the [multi-factor authentication reference](/userlock/docs/reference/modules/multi-factor-authentication#use-cases-and-required-components) page for more information.

## Can users have a backup MFA method?

Yes, by default users have the option of configuring two MFA methods. This feature is managed in "settings" tab of "Multi-factor authentication" menu.

Three options exist:

- **“Enabled”** *(default option):* enables and recommends that the user configure two methods of MFA.
- **“Disabled”:** Users can configure only one MFA method.
- **“Force”:** Forces users to configure 2 MFA methods.
  ![](https://a.storyblok.com/f/122374/1762x927/6058286513/alternative-mfa-method.png)

## Can users have access to Recovery codes if they do not have access to their smartphone or token?

Yes, users will need to keep these codes available and secure to be used in case they cannot use their usual MFA method. These codes will be displayed only once, at the MFA enrollment process.

## Is MFA compatible with MAC OS ?

Although all other UserLock restrictions are compatible with Mac OS, currently MFA is not compatible.

## Can I implement different MFA rules for VPN, RDP and SaaS sessions ?

For versions older than 12.1, it is not possible to create different MFA policies for the above session types. Differences in MFA settings can be distinguished between workstation and server connections, and whether or not they are generated from inside or outside the network.

From 12.1 onwards, every session type has a separate line and can be configured with it's own setting.

![](https://a.storyblok.com/f/122374/915x892/d76e058d6d/mfa-by-sessions-type.png)

## Are SSO logons considered as workstation or server connections ?

SSO logons are always (inside and outside) considered as server connections.

## Is it possible to apply MFA to local accounts ?

Although UserLock audits connections with local accounts, and they can be viewed in the 'User Sessions' dashboard, it is not possible to apply MFA to these connections.

## Can MFA be applied to non-interactive sessions ? (Run as, RSAT, PowerShell, etc)

UserLock cannot protect or audit interactive sessions involving “Run as”, RSAT, or PowerShell (except for UAC prompts).

Sessions that can be protected by MFA are detailed on the [multi-factor authentication reference](/userlock/docs/reference/modules/multi-factor-authentication#use-cases-and-required-components) page.

## Is it possible for multiple users sharing the same user account credentials to also share the same MFA key ?

You can have multiple people sharing the same account (keep in mind that this is not good practice), they can share this account in their authentication app.

When onboarding, UserLock will generate both a QR code and a manual key, of which one has to be used to add the account to the application. You can take a picture of the QR code or write down the manual key to enter them in an authentication app at a later stage. It will still add the same account to the application, generating the exact same code as in the application on the other phone.

NOTE : This is only valid for the TOTP method. It is not possible for Push.

##  What is considered as “remote” and “outside” connections in the MFA settings?

**“Remote”** means any remote session (RDP, VPN, IIS or SaaS) that originates from inside or outside the network.

**“Outside”** means any remote session (RDP, VPN, IIS or SaaS) that originates from outside the network.

By default **“outside”** connections are ones where the source machine is not within the following IP ranges:

- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
- fc00::/7
- fe80::/10

For more details on how to apply MFA for outside connections via Remote Desktop Gateway, [see this procedure](/userlock/docs/guides/implement-mfa/how-to-apply-mfa-to-remote-desktop-gateway-sessions).

In the advanced settings (Server settings of the Userlock console) you can define what you would like UserLock to consider as “Inside” or “Outside” IP addresses:

![](https://a.storyblok.com/f/122374/1754x815/32fc361c7d/advanced-settings.png)

![](https://a.storyblok.com/f/122374/1700x726/e0cdc041df/ip-considered-inter-or-external.png)
