What’s new in UserLock 10
What's new in UserLock 10.1
- Multi-Factor Authentication (MFA)
- Unlock and Reconnect Management
- Geolocation restriction
- Deny interactive logons if UserLock is inaccessible
- Download UserLock
Using YubiKey with UserLock
UserLock MFA now supports YubiKey. This provides an alternative to TOTP authenticator applications or tokens (Token2) since YubiKey use a HMAC-based One-time Password (HOTP) algorithm.
Here is how it works:
More info about YubiKey: https://www.yubico.com/
Apply MFA only for Remote Desktop (RDP) logons originating from outside of the network
With the new version of UserLock, you can choose to enable MFA only for RDP logons that originate from outside the local network. The option to apply for every RDP logon remains.
It is now possible to apply UserLock restrictions - including MFA - when unlocking or reconnecting to a session.
A specific Advanced Setting (press F7 in UserLock desktop console) has been added to disable this new management: ApplyRestrictionsOnUnlock. However, we strongly recommend to keep it enabled as it strengthens your environment security.
A new contextual restriction is now available in UserLock. The geolocation restriction allows an administrator to restrict remote logons based on location. The restriction will disallow/allow logons from a list of selectable countries.
UserLock now adds a choice to deny a logon if both the Primary and Backup servers are not available. This stops users from unplugging any network cable and bypassing the protection that UserLock offers.
If UserLock is inaccessible, you can choose to deny interactive connections (logon, unlock and reconnect events) on computers where the Desktop UserLock Agent is installed.
This setting applies to interactive sessions only.
Once UserLock is reachable again, the corresponding session events are sent to the UserLock service. Users will see a notification of this event upon the next successful login, if the welcome message is enabled:
UserLock administrators will see these events in reports, such as logons denied by UserLock for the reason "UserLock inaccessible".
A specific Advanced Setting (press F7 in UserLock desktop console) has been added to enable/disable this new management: DenyInteractiveConnectionsIfUserLockInaccessible.
UserLock allows you to implement MFA in your environment. It is a new restriction that requires a user to authenticate with an additional (second) factor.
UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). TOTP are widely accepted and aren't easily bypassed like SMS text based authentication. Examples include Google Authenticator and LastPass Authenticator.
With UserLock 10, administrators can enable MFA for Windows logon and RDP connections to both workstations and/or server connections.
How MFA works
When the user registers a TOTP-supporting device, a unique shared key is created. Both the device and the server can generate a time-based one-time password by processing that key along with the current time. By convention, each TOTP is good for 30 seconds. A user will log in using their regular password, then enter the current one-time password from their device.
Note: The time must be correct and automatically synchronized on the UserLock server. The timezone doesn't affect it.
Within UserLock you set a new MFA restriction by user, group or OU.
Once the restriction is enabled, the user will be asked to configure this application. Enrollment is intuitive and simple for users to do on their own. They follow a series of simple steps to configure MFA with their smartphone.
- Users will install an authenticator application
- Scan the QR Code that appears at login
- Enter the authentication code
Thereafter, users’ will log in using their normal Active Directory credentials and then when prompted, with a code shown on the app.
A help request can also be added that will immediately notify the administrator by email/popup.
Administrators can also manage the time users have to enroll in MFA with an option to skip configuration. A skip will need ask the user to specify the reason for bypassing MFA configuration.
Customizations for MFA in your environment
With UserLock, administrators can define under what circumstances, MFA is asked for.
- Local logins and/or RDP sessions
- Workstation and/or Server connections
End User messages are also customizable
Reporting & Reacting to MFA from the UserLock Dashboard
- Ad-hoc reports are available to manage the use of MFA in your environment.
- Manage real time alerts from user requests for help.
- Reset an MFA key or temporarily disable MFA for a user.