Implementing Multi-Factor Authentication
Check pre-requisites and install agents
UserLock protects connections to your network where the UserLock agent is installed. To protect logins with MFA, you will need to install agents based on the connection types to protect:
- Desktop agents for local, RDP, RD Gateway, and VDI sessions
- NPS agents for VPN connections
- IIS agents for connections to IIS web applications
Plan your deployment and enrollment
As with any organizational change, it’s best to prepare your users by putting in place a plan for MFA deployment and activation.
- If you are looking to protect several connection types, we recommend that you start with deploying desktop agents and enrolling users for local and RDP sessions before extending to VPN, IIS, and SaaS.
- Start your deployment with a small set of users who are familiar with MFA and who can eventually assist others. In general, this will be your IT admins.
- Activate the “Ask for Help” and “Skip” options to allow for easy onboarding.
- Make sure your users are equipped with devices for MFA before activating policies. Users will need a smartphone if using UserLock Push, a third-party authentication app, or a USB or programmable token. They will need the device at the time of enrollment.
UserLock MFA allows you to authenticate with the following methods:
- UserLock Push mobile app: For one-tap push notifications and verified push TOTP codes. (UserLock Push notifications are a subscription-only feature.)
- Third-party authenticator apps: such as Google Authenticator for TOTP codes
- USB tokens: such as those from YubiKey or Token2
- Programmable tokens from Token2
For a full list of all compatible tokens, click here.
Configure MFA Settings:
Go to MFA settings in the UserLock console.
Ask for Help: Activate this feature to allow users to request help and notify admins when they cannot authenticate with MFA. Enter machine names to receive a popup notification, or add one or several recipients for email notifications. For more information, read how this feature works, and how to treat the requests.
MFA Methods: By default, authenticator app and USB tokens are enabled. Push notifications require an internet connection for your UserLock server, and therefore are disabled by default.
Enable the methods that you would like to make available for users. All activated methods will be proposed to users during enrollment. For specific onboarding guides per method, see here.
Alternative MFA methods: Here you can allow or force your users to enroll in two types of MFA methods. Keep in mind that when users enroll in MFA push notifications, they also can access a TOTP code with the UserLock Push app. This TOTP code allows them to connect in case there is a network issue and they cannot receive push notifications.
Alternative MFA methods must be configured at the time of enrollment.
Recovery codes: Recovery codes are one-time use codes that can be used to authenticate if the user does not have access to their smartphone application or token. The user will be presented with these codes at the time of enrollment, and will need to print and store them somewhere safe where they can access them if needed. To generate a new batch of codes, you will need to reset the MFA key for that user, and they will have to re-enroll.
You can choose to provide 4-20 codes per user.
Click “Apply” in the Quick Access Panel to save your settings.
Create protected accounts to enable MFA for users, groups or OUs
To enroll users in MFA they must be part of a protected account with MFA enabled. You can create these policies at the OU, Group or user level. For more information on Protected Accounts, click here.
In the Protected Accounts view, double click on a protected account to modify its settings. Scroll down to Multi-Factor Authentication.
There are two tabs for workstation and server connections. This allows you to define two separate polices for these types of connections. For each one, you have 4 options:
- All: local and remote connections
- Remote: Any connection coming from another machine: RDP, VPN, IIS, etc.
- Outside: Any remote connection where the IP address of the client is coming from outside of the corporate network.
- Not configured
Select the frequency for MFA prompts:
- Never: this account will never be prompted for these connection types.
- When logging in from a new IP address (once per address): when a user connects for the first time from a new IP address, they will be prompted for MFA. Once this IP address has been registered for UserLock, they will no longer be prompted to authenticate with MFA.
- At every logon: This includes unlocks and reconnecting to a remote session.
- At the first logon of the day (once per IP address): Users will be prompted for the first logon of the day (after midnight) and will only be prompted again during the day if they change IP addresses.
- Every N day(s): Users will have to authenticate for each IP address every N days.
- After N days(s) since the last logon from this IP address: This works the same as the second option, except for you can select to request MFA every N days.
Note: Users connecting to remote sessions with the same account from an IP address that has already been authenticated with MFA will not be prompted for these subsequent remote sessions.
In this tab, you can activate a button that will allow users to skip the MFA configuration until a specific date. Users will be prompted to enroll based on the frequency that you have configured for MFA. Once this date is past, they will not be able to login until they enroll in MFA.
Click on Apply in the Quick Access Panel to save your settings
See specific use cases for enabling MFA for VPN, IIS applications, SaaS applications (SSO), and access onboarding guides for end users for each method.