UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > Multi-factor authentication

Multi-factor authentication

UserLock allows you to implement Multi-Factor Authentication (MFA) in your environment which requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). TOTP are widely accepted and aren't easily bypassed like SMS text based authentication. Examples include Google Authenticator and LastPass Authenticator.

MFA restrictions

Once enabled, you have different options for ensuring a smooth implementation of MFA.

Connections on Workstation or Server operating systems:

In the ‘Workstation connections’ and ‘Server connections’ tabs, you can set:

  • The connection types: local and / or RDP sessions.
  • The frequency you want.
    • “Never”: MFA never asked.
    • “When logging on to a new machine (once per machine).
    • “At every logon”
    • “At the first logon of the day (once per machine / server)”: MFA will be asked for the first logon of the day for each machine.
    • “Every <number> day(s)”: The same as the previous one, replacing every day with <number> day(s).
    • “After <number> day(s) since last logon on this machine / server”: MFA will be asked if the user logs on a computer on which they haven’t logged on to since <number> of day(s).


The “Skip” feature allows the end user to click “Skip” in the MFA configuration dialog. This is designed to allow flexibility during the onboarding process. The recommended setting is 2-3 weeks.

Skip option

If enabled, the end user can choose it at the time of configuration:

Skip option

If this option is chosen, the end user must select in the dialog box below the reason why he wanted to "Skip" the MFA:

Skip the MFA