Secure Active Directory User Logins with
Multi-Factor Authentication (MFA)

UserLock makes it easy to enable MFA for Windows logon, RDP, RD Gateway, VPN, IIS and Cloud Applications. Verify the identity of all Active Directory accounts and secure their access to the network and cloud services.

Start a free trial Book a Demo
Multi-Factor Authentication (MFA)

On-Premise Two-Factor Authentication for Windows Active Directory

UserLock supports MFA using authenticator applications which include Google Authenticator, Microsoft Authenticator and LastPass Authenticator, or programmable hardware tokens such as YubiKey and Token2.

Relying on cryptographic algorithms for Time-based and HMAC-based One-Time Passwords (TOTP and HOTP), all options offer strong and simple two-factor authentication to better protect access across an entire organization.

Enable MFA in all conditions

Offline-Available Multi-Factor Authentication

With secure on-premise hosting, MFA needs no internet connection.

MFA for Remote Users Not Connected to the LAN

MFA can be prompted on machines when disconnected from the corporate network.

Enable MFA on all connections

MFA across AD Domains and Windows Servers

Enable MFA on all computers, devices and mobiles with Active Directory membership or standalone terminal servers.

MFA and Windows Remote Desktop (RDP & RD Gateway)

Enable MFA on all RDP logons, or for every RDP logon from outside the corporate network – including RD Gateway connections.

MFA and Virtual PrivateNetwork (VPN) Connections

Enable MFA for VPN connections, managed by a VPN server solution that supports RADIUS Challenge or uses Microsoft RRAS.

MFA and IIS Sessions

Enable MFA on Microsoft IIS for Windows Server. Protect a single web application such as Outlook on the Web, RD Web Access, or a whole intranet site.

MFA for Microsoft 365 and Cloud Applications

Combine MFA and Single Sign-On (SSO) to secure access to Office 365, Exchange Online and other SaaS applications via SAML-2 authentication protocol.

MFA and Virtual Desktops

Enable MFA on a virtual desktop infrastructure (VDI) such as Microsoft, Citrix, VMWare…

Deploy Easily alongside On-Premise Active Directory

UserLock teams up seamlessly with on premise Active Directory to make it easy to scale multi-factor authentication, across an organization.

  • Easy configuration

    Customize and activate MFA by User, Group or Organizational Unit to make it easy even for larger user bases.

  • Easy adoption

    Manage the time users have to enroll in MFA, by allowing them to skip configuration and feedback any problems.

  • Easy application

    UserLock automatically detects new endpoints, from wherever users are connecting from, and ensures MFA restrictions are immediately applied.

Intuitive Self Enrollment for the User

Once activated by the administrator, enrollment is intuitive and simple for users to do on their own.

Self-Enrollment with an Authenticator Application

  1. They install the authenticator app on their phone.
  2. They scan the QR code displayed at login.
  3. They enter a code which confirms activation.

Self-Enrollment with Hardware Security Keys (YubiKey, Token2)

  1. They insert the key into a USB port of their computer.
  2. They log in to their computer, confirm they want to use YubiKey (for example), and select the available YubiKey slot.
  3. They click ‘Link YubiKey’ to confirm configuration and press the YubiKey button. This will automatically enter the code to confirm activation.

Thereafter, users’ log in using their credentials, and then when prompted either with a code shown on the app/token, or by pressing the YubiKey button which automatically enters the code. A request for help from the user immediately notifies the administrator, so they can react quickly.

Alternative MFA methods

Choose to enable - or even force - a second MFA method. For example an authenticator application can be set up alongside a hardware token.

MFA recovery codes

After a user has enrolled, UserLock can display a chosen number of backup codes. These serve as one-time passwords to validate MFA and regain access.

Enroll for MFA remotely

Users can be enrolled for MFA even when working remotely, outside of the corporate network.

Customize MFA for your Organization

Administrators may want to avoid prompting the user for MFA each time they log in. With UserLock you can define under what circumstances MFA is asked for:

  • By connection type (local logins and RDP sessions)
  • By RDP & RD Gateway connections that originate from outside the corporate network
  • By workstation and/or server connections
  • By frequency and circumstances of authentication requests
  • Choose to include MFA for when a user is unlocking a logged-in workstation or RDP session
  • Choose to enforce MFA for logins without a network (LAN) connection.
Customize MFA

Track and React to MFA

  • Reporting and insights across your organization
  • Real-Time alerts on user requests for help
  • One-click response to reset an MFA key or temporarily disable MFA for a user
Dashboard MFA
 

Example Use Case: Enforce the use of only corporate owned machines for remote working

Pair MFA with Contextual Restrictions

Once authenticated, UserLock’s logon restrictions help further verify all users’ claimed identity and secure network access.

Set policies to authorize, limit or deny access attempts by machine, device, location, time, session type, initial access point and number of simultaneous sessions.

Learn more