UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > Multi-factor authentication

Multi-factor authentication

UserLock allows you to implement Multi-Factor Authentication (MFA) in your environment which requires a user to authenticate with an additional (second) factor. UserLock supports MFA through Time-based and HMAC-based One-time Passwords (TOTP and HOTP). Examples include Yubico Authenticator (TOTP smartphone application), Google Authenticator (TOTP smartphone application), LastPass Authenticator (TOTP smartphone application), Token2 (TOTP security token) and YubiKey (HOTP security token).

MFA restrictions

Once enabled, you have different options for ensuring a smooth implementation of MFA.

Connections on Workstation or Server operating systems:

In the ‘Workstation connections’ and ‘Server connections’ tabs, you can set:

  • The connection types: All, Remote, From outside.
  • The frequency you want.
    • “Never”: MFA never asked.
    • “When logging on to a new machine (once per IP address).
    • “At every logon”
    • “At the first logon of the day (once per IP address)”: MFA will be asked for the first logon of the day for each IP address.
    • “Every <number> day(s)”: The same as the previous one, replacing every day with <number> day(s).
    • “After <number> day(s) since last logon on this IP address”: MFA will be asked if the user logs on an IP address on which they haven’t logged on to since <number> of day(s).

Skip

The “Skip” feature allows the end user to click “Skip” in the MFA configuration dialog. This is designed to allow flexibility during the onboarding process. The recommended setting is 2-3 weeks.

Skip option

If enabled, the end user can choose it at the time of configuration:

Skip option

If this option is chosen, the end user must select in the dialog box below the reason why he wanted to "Skip" the MFA:

Skip the MFA