UserLock Documentation
UserLock Documentation

What’s new in UserLock 10

Multi-Factor Authentication

UserLock allows you to implement MFA in your environment. It is a new restriction that requires a user to authenticate with an additional (second) factor.

UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). TOTP are widely accepted and aren't easily bypassed like SMS text based authentication. Examples include Google Authenticator and LastPass Authenticator.

With UserLock 10, administrators can enable MFA for Windows logon and RDP connections to both workstations and/or server connections.

How MFA works

When the user registers a TOTP-supporting device, a unique shared key is created. Both the device and the server can generate a time-based one-time password by processing that key along with the current time. By convention, each TOTP is good for 30 seconds. A user will log in using their regular password, then enter the current one-time password from their device.

Note: The time must be correct and automatically synchronized on the UserLock server. The timezone doesn't affect it.


Within UserLock you set a new MFA restriction by user, group or OU.

Once the restriction is enabled, the user will be asked to configure this application. Enrollment is intuitive and simple for users to do on their own. They follow a series of simple steps to configure MFA with their smartphone.

  • Users will install an authenticator application
  • Scan the QR Code that appears at login
  • Enter the authentication code

Thereafter, users’ will log in using their normal Active Directory credentials and then when prompted, with a code shown on the app.

A help request can also be added that will immediately notify the administrator by email/popup.

Administrators can also manage the time users have to enroll in MFA with an option to skip configuration. A skip will need ask the user to specify the reason for bypassing MFA configuration.

Customizations for MFA in your environment

With UserLock, administrators can define under what circumstances, MFA is asked for.

  • Local logins and/or RDP sessions
  • Workstation and/or Server connections
  • Frequency

End User messages are also customizable

Reporting & Reacting to MFA from the UserLock Dashboard

  • Ad-hoc reports are available to manage the use of MFA in your environment.
  • Manage real time alerts from user requests for help.
  • Reset an MFA key or temporarily disable MFA for a user.