Multi-Factor Authentication (MFA)

What is multi factor authentication (MFA)?
MFA is an access security solution that verifies user identity at the login using two or more factors. This extra security layer helps ensure only trusted users get access to your data – whether at the login or beyond – stopping attacks before damage is done. UserLock is the only MFA solution that unifies all MFA under the on-premise Active Directory (AD) identity as the single source of truth to verify access to network and cloud resources.

Start a free trial Book a Demo
Multi-Factor Authentication (MFA)

What does UserLock’s multi-factor authentication do?

UserLock MFA secures every Active Directory user login without adding complexity. Extend Active Directory MFA across access to Windows logins, Remote Desktop, VPN, IIS, Microsoft 365, and other SaaS applications. UserLock supports MFA using push notifications, authenticator applications, and hardware tokens such as YubiKey and Token2.

Enforce Active Directory multi-factor authentication in any context

MFA for offline scenarios

With on-premise hosting, UserLock MFA enforces MFA policies, even when users logon from a device that isn’t connected to the internet.

MFA for off-LAN, off-domain connections

UserLock prompts remote employees for MFA even when devices are off the corporate network, ensuring secure off-domain access. Install the UserLock Anywhere web application for off-LAN MFA.

MFA for air-gapped networks

Enable secure MFA and access controls on air-gapped networks without outer internet connectivity.

Extend Active Directory MFA across all access points

MFA for Windows servers and AD domains

Apply MFA to all Active Directory devices and standalone terminal servers for secure access.
How to apply MFA for Windows logins

MFA for Microsoft Remote Desktop Gateway (RD Gateway) and RDP

Enable MFA on all Remote Desktop Services connections, including RDP logins and RD Gateway connections.
How to apply MFA for RD Gateway and RDP

MFA for RemoteApp

Protect connections to RemoteApp sessions with MFA.
How to apply MFA for RemoteApp

MFA for Virtual Private Network (VPN)

Secure VPN connections with MFA through RADIUS Challenge or Microsoft RRAS.

How to apply MFA for VPN

MFA for IIS apps (OWA, RDWeb, SharePoint)

Apply MFA on Microsoft IIS sessions to secure AD user access to Outlook on the Web (OWA), RDWeb, SharePoint, Microsoft Dynamics CRM, and other IIS apps.
How to apply MFA for IIS

MFA for SaaS apps

Combine MFA and Single Sign-On (SSO) to secure access to Microsoft 365, Exchange Online, AWS, Google Workspace, and other SaaS apps with SAML-2 authentication protocols.
How to apply MFA for SaaS

MFA for Virtual Desktops

Add MFA on AD user access to virtual desktop infrastructure (VDI) using Windows OS, including Microsoft, Citrix, VMWare and more.
How to apply MFA for VDI

MFA for UAC prompts

Enforce MFA on Windows UAC (user account control) credential prompts displayed when launching administrative tasks.
How to apply MFA to UAC prompts

UserLock

Start a free trial now

30-day full version with no user limits

How does MFA for Active Directory user identities work?

When users enter an on-premise Active Directory username and password, these are validated with the Windows Domain controller or cached credentials on their device. After the Active Directory credentials are verified, UserLock intervenes at the AD authentication layer to enforce MFA policies. Since UserLock integrates seamlessly with on-premise Active Directory, MFA is low maintenance: simple to set up and easy to manage.

  • Quick configuration

    Set MFA policies by user, group, or organizational unit (OU), making setup fast and scalable — even across a large user base.

  • Seamless adoption

    Control how and when end-users enroll in MFA, allowing them to skip enrollment for a set time to ensure a smooth rollout.

  • Effective application

    Apply MFA policies in real-time, securing all connections — no matter where users connect from — thanks to UserLock's ability to detect new endpoints instantly.

Keep end users productive with easy MFA enrollment

Once the administrator enables MFA, end users can easily self-enroll thanks to UserLock’s simple self-enrollment process. Admins can also allow users to skip MFA enrollment until a specific date to allow for flexible onboarding.

How to self-enroll with the UserLock Push app

  1. Install UserLock Push app on a smartphone.
  2. Scan the QR code.

How to self-enroll with an authenticator application

  1. Install the authenticator app on a smartphone.
  2. Scan the QR code.
  3. Enter a code to confirm activation.

How to self-enroll with hardware security keys (YubiKey, Token2)

  1. Insert the key into the computer’s USB port.
  2. Login to computer, confirm they want to use YubiKey (for example), and select the available YubiKey slot.
  3. Click “Link YubiKey” to confirm configuration and press the YubiKey button. This automatically enters the code to confirm activation.

Multiple MFA methods

Choose to enable — or even force — up to two MFA methods. All methods rely on secure cryptographic algorithms for Time-based (TOTP) and HMAC-based (HOTP) one-time passwords.

MFA recovery codes

After enrollment, admins can allow users to access a chosen number of MFA recovery codes. These serve as one-time passwords to validate MFA and regain access.

Remote MFA enrollment

Users can enroll for MFA even when working remotely, outside of the corporate network.

Keep MFA lightweight with custom MFA policies

Give IT full control over when and how to require MFA. This flexible approach safeguards resources, supports compliance, and keeps business moving forward.

Configure MFA policies based on:

  • User role: Enable MFA according to AD user, group, or organizational unit (OU).
  • Session type: Adjust MFA policy according to session type, including privilege elevation requests on UAC (user account control) prompts on administrative tasks and run as administrator requests.
  • Connection type: Set different MFA policies for local sessions and sessions connecting from outside the network.

Fine-tune MFA application according to:

  • Frequency: Choose when to prompt for MFA for each session and connection type, with the ability to specify every n minutes/hours/days.
  • Circumstances: Set custom rules for when to prompt MFA, including on the RDP or RD Web connection, or on logins on devices that aren’t connected to the LAN.
UserLock MFA Dashboard

Detect threats and get compliant with MFA event tracking

Easily monitor and manage Active Directory MFA that scales seamlessly across all users.

  • Complete visibility: See all MFA events – successful and unsuccessful – per user, and generate MFA reports to prove cyber insurance and compliance requirements.
  • Real-time alerts: Get instant notifications for end user MFA help requests.
  • One-click actions: Reset MFA keys or temporarily disable MFA for a user when needed.
Dashboard MFA
 

Example Use Case: Enforce the use of only corporate owned machines for remote working

Reduce the risk of MFA fatigue with contextual access controls

UserLock’s contextual restrictions provide an extra layer of security by verifying each access attempt against set policies.

Control access by machine, device, location, time, session type, initial access point, and the number of active sessions.

Learn more