UserLock allows you to implement Multi-Factor Authentication (MFA) in your environment which requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). TOTP are widely accepted and aren't easily bypassed like SMS text based authentication. Examples include Google Authenticator and LastPass Authenticator.
Once enabled, you have different options for ensuring a smooth implementation of MFA.
Connections on Workstation or Server operating systems:
In the ‘Workstation connections’ and ‘Server connections’ tabs, you can set:
- The connection types: local and / or RDP sessions.
- The frequency you want.
- “Never”: MFA never asked.
- “When logging on to a new machine (once per machine).
- “At every logon”
- “At the first logon of the day (once per machine / server)”: MFA will be asked for the first logon of the day for each machine.
- “Every <number> day(s)”: The same as the previous one, replacing every day with <number> day(s).
- “After <number> day(s) since last logon on this machine / server”: MFA will be asked if the user logs on a computer on which they haven’t logged on to since <number> of day(s).
The “Skip” feature allows the end user to click “Skip” in the MFA configuration dialog. This is designed to allow flexibility during the onboarding process. The recommended setting is 2-3 weeks.
If enabled, the end user can choose it at the time of configuration:
If this option is chosen, the end user must select in the dialog box below the reason why he wanted to "Skip" the MFA: