UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > Multi-factor authentication

Multi-factor authentication

UserLock allows you to implement Multi-Factor Authentication (MFA) in your environment which requires a user to authenticate with an additional (second) factor. UserLock supports MFA through Time-based and HMAC-based One-time Passwords (TOTP and HOTP). Examples include Yubico Authenticator (TOTP smartphone application), Google Authenticator (TOTP smartphone application), LastPass Authenticator (TOTP smartphone application), Token2 (TOTP security token) and YubiKey (HOTP security token).

MFA restrictions

Once enabled, you have different options for ensuring a smooth implementation of MFA.

Connections on Workstation or Server operating systems:

In the ‘Workstation connections’ and ‘Server connections’ tabs, you can set:

  • The connection types:
    • All
    • Remote” means any remote session (RDP, VPN, IIS or SaaS) that originates from inside or outside the network.
    • From outside” means any remote session (RDP, VPN, IIS or SaaS) that originates from outside the network.
      By default “From outside” connections are ones where the source machine is not within the following IP ranges:
      • -
      • -
      • -
      • fc00::/7
      • fe80::/10

    To change values for "inside" and / or "outside": at the UserLock Server while using the console, press F7 to view the Advanced settings. Locate “IPConsideredInside” and “IPConsideredOutside” values.

  • The frequency you want.
    • “Never”: MFA never asked.
    • “When logging on to a new machine (once per IP address)”
    • “At every logon”
    • “At the first logon of the day (once per IP address)”: MFA will be asked for the first logon of the day for each IP address.
    • “Every <number> day(s)”: The same as the previous one, replacing every day with <number> day(s).
    • “After <number> day(s) since last logon on this IP address”: MFA will be asked if the user logs on an IP address on which they haven’t logged on to since <number> of day(s).


The “Skip” feature allows the end user to skip the configuration when prompted to enroll in MFA. This is designed to allow flexibility during the onboarding process. The recommended setting is 2-3 weeks. The user will continued to be prompted to enroll at each connection where MFA is required (every logon, first logon of the day, etc) The user can choose to skip the configuration up until the date configured by the administrator.

Skip option

If enabled, the end user can choose it at the time of configuration:

Skip option

If this option is chosen, the end user must select in the dialog box below the reason why he wanted to "Skip" the MFA:

Skip the MFA