Secure Active Directory User Logins with
Multi-Factor Authentication (MFA)

UserLock makes it easy to enable MFA for Windows login, RDP, RD Gateway, RemoteApp, VPN, IIS and Cloud Applications. Verify the identity of all Active Directory accounts and secure their access to the network and cloud services.

Start a free trial Book a Demo
Multi-Factor Authentication (MFA)

On-Premise Two-Factor Authentication for Windows Active Directory

UserLock supports MFA using push notifications, authenticator applications which include Google Authenticator, Microsoft Authenticator and LastPass Authenticator, or programmable hardware tokens such as YubiKey and Token2.

Relying on cryptographic algorithms for Time-based and HMAC-based One-Time Passwords (TOTP and HOTP), all options offer strong and simple two-factor authentication to better protect access across an entire organization.

Enable MFA in all conditions

Offline-Available Multi-Factor Authentication

With secure on-premise hosting, MFA needs no internet connection.

MFA for Remote Users Not Connected to the LAN

MFA can still be prompted on machines when disconnected from the corporate network. This ‘offline domain access’ remains protected with UserLock Anywhere.
How to install UserLock Anywhere

Enable MFA on all connections

MFA across AD Domains and Windows Servers

Enable MFA on all computers and devices with Active Directory membership or standalone terminal servers.

MFA and Windows Remote Desktop (RDP & RD Gateway)

Enable MFA on all RDP logons, or for every RDP logon from outside the corporate network – including RD Gateway connections.
How to apply MFA for RD Gateway

MFA and Virtual PrivateNetwork (VPN) Connections

Enable MFA for VPN connections, managed by a VPN server solution that supports RADIUS Challenge or uses Microsoft RRAS.
More about MFA for VPN

MFA and IIS Sessions (OWA, RDWeb, Sharepoint...)

Enable MFA on Microsoft IIS for Windows Server. Protect a specific IIS application such as Outlook Web Access, RDWeb, SharePoint, CRM or an Intranet website.

How to apply MFA for IIS

MFA for Microsoft 365 and Cloud Applications

Combine MFA and Single Sign-On (SSO) to secure access to Office 365, Exchange Online and other SaaS applications via SAML-2 authentication protocol.
More about SSO

MFA and Virtual Desktops

Enable MFA on a virtual desktop infrastructure (VDI) such as Microsoft, Citrix, VMWare…

Secure Remote Access

Learn more about Securing Remote Access

How UserLock helps ensure Multi-Factor Authentication for Remote Working.

Deploy Easily alongside On-Premise Active Directory

UserLock teams up seamlessly with on premise Active Directory to make it easy to scale multi-factor authentication, across an organization.

  • Easy configuration

    Customize and activate MFA by User, Group or Organizational Unit to make it easy even for larger user bases.

  • Easy adoption

    Manage the time users have to enroll in MFA, by allowing them to skip configuration and feedback any problems.

  • Easy application

    UserLock automatically detects new endpoints, from wherever users are connecting from, and ensures MFA restrictions are immediately applied.

Intuitive Self Enrollment for the User

Once activated by the administrator, enrollment is intuitive and simple for users to do on their own.

Self-Enrollment with UserLock Push App

  1. They install the UserLock Push app on their phone.
  2. They scan the QR Code.

Self-Enrollment with an Authenticator Application

  1. They install the authenticator app on their phone.
  2. They scan the QR code displayed at login.
  3. They enter a code which confirms activation.

Self-Enrollment with Hardware Security Keys (YubiKey, Token2)

  1. They insert the key into a USB port of their computer.
  2. They log in to their computer, confirm they want to use YubiKey (for example), and select the available YubiKey slot.
  3. They click ‘Link YubiKey’ to confirm configuration and press the YubiKey button. This will automatically enter the code to confirm activation.

Alternative MFA methods

Choose to enable - or even force - a second MFA method. For example an authenticator application or push can be set up alongside a hardware token.

MFA recovery codes

After a user has enrolled, UserLock can display a chosen number of backup codes. These serve as one-time passwords to validate MFA and regain access.

Enroll for MFA remotely

Users can be enrolled for MFA even when working remotely, outside of the corporate network.

Customize MFA for your Organization

Administrators may want to avoid prompting the user for MFA each time they log in. With UserLock you can define under what circumstances MFA is asked for:

  • By session type
  • By RDP & RD Gateway connections that originate from outside the corporate network
  • By workstation and/or server connections
  • By frequency and circumstances of authentication requests
  • Choose to include MFA for when a user is unlocking a logged-in workstation or RDP session
  • Choose to enforce MFA for logins without a network (LAN) connection.
Customize MFA

Track and React to MFA

  • Reporting and insights across your organization
  • Real-Time alerts on user requests for help
  • One-click response to reset an MFA key or temporarily disable MFA for a user
Dashboard MFA

Get the UserLock Web App

Monitor and respond to network sessions quickly, easily, and from anywhere with the UserLock Web App.


New UserLock Web App

Example Use Case: Enforce the use of only corporate owned machines for remote working

Pair MFA with Contextual Restrictions

Once authenticated, UserLock’s logon restrictions help further verify all users’ claimed identity and secure network access.

Set policies to authorize, limit or deny access attempts by machine, device, location, time, session type, initial access point and number of simultaneous sessions.

Learn more