Two-Factor Authentication
Solution for Windows
& RDP Logons

12 Reasons to Choose UserLock

Two-factor authentication (2FA) with UserLock makes securing access to your Windows environment intuitive and easy. Get the best of both worlds – a secure network and a productive workforce.

1. Deploy 2FA alongside Active Directory

Simple to implement and intuitive to manage, UserLock works seamlessly alongside your existing investment in Microsoft Active Directory infrastructure. No modifications are made to accounts, structure or schema.

2. 2FA for Remote Desktop Connections

Choose to enable 2FA on remote connections. End-users connecting to another machine (remote computer or virtual machine) within the network, can still receive a 2FA challenge.

Administrators can choose to either apply 2FA on RDP logons that originate from outside the corporate network, or for every RDP logon both internal and external.

 

3. Consider RD Gateway IP address as outside the network

Remote Desktop Gateway (RDG or RD Gateway) enables network access for remote users, over the internet. By utilizing the Remote Desktop and the HTTPS protocol it creates a secure encrypted connection.

RDP connections that pass through a gateway, are by default considered as coming from ‘inside’ the network. To consider them as outside connections, simply list the RD Gateway IP address in UserLock’s advanced settings.

You can then choose to enable MFA only for RDP logons that originate outside the network – and be sure to include all RD Gateway connections.

4. 2FA with Time-based or HMAC-based One-Time Passwords (TOTP and HOTP)

UserLock leverages authenticator applications or programmable hardware tokens to generate a One-Time Password for strong two-factor authentication.

In both TOTP and HOTP the token (the OTP generator) generates a numeric code. The security of OTP is based on fact that the codes are constantly changing and that they are single-use, hence the name. HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp.

Different options exist. Using a smartphone as a secure token frees the users from carrying a dedicated token device. This is often thought as the best balance of security, usability and cost available today.

Programmable hardware tokens can act as a "drop-in" replacement of mobile apps. They are a great way to implement MFA for end-users who cannot use a corporate phone.

A hardware token can also be an external device you plug in to your USB port and will automatically type in the OTP key for you. The user just has to tap their device, making the user experience even more frictionless.

5. Customize how you
ask for 2FA

For any user, user group or OU, you can specify the circumstances under which 2FA is asked: by connection type, workstation or server connections and the frequency (every connection, every N days, first logon of the day, every new machine).

6. 2FA for all users, including the most privileged accounts

Securing access from all users aligns with most company’s desire to protect any Active Directory account with access to critical data and applications.

It also improves your ability to restrict and respond to the most privileged of accounts - Windows local administrator accounts, domain admin accounts, Active Directory service accounts.

7. Secure, always available, on premise hosting

UserLock is installed on your own on premise environment for maximum security, and can be administered from any workstation remotely. Get insights, alerts and reports on all 2FA activity across your organization.

8. One-click response
to help end-users

From the console, administrators can easily interact with any session and respond, reset or bypass authentication settings for any specific user.

9. 2FA in conjunction with contextual restrictions

With UserLock’s contextual restrictions in place, administrators can be confident in customizing 2FA controls that avoid prompting the user for a second authentication, each time they log in.

Transparent to the end-user, they create a significant barrier to any attacker but don’t impede on employee productivity. They also help administrators distinguish legitimate asks to bypass or reset 2FA.

Contextual factors include location, machine, time, session type and number of concurrent sessions.

10. Easy for both users and administrators

Enrollment is intuitive and simple for users to do on their own.

Alerts to warn end-users themselves when their own credentials are used (successfully or not) helps empower users to take responsibility for their own trusted access.

Help requests alert administrators in real-time, who can immediately respond with one-click actions, allowing users to get on with their job.

11. Offline 2FA

UserLock offers a complete on premise solution, where no internet access is needed. User authentication for your employees is possible just about everywhere.

12. Cost effective 2FA

2FA doesn’t have to come at a high cost – but it does have to be effective in relation to its cost. UserLock offers enterprise caliber 2FA in terms of focus and effectiveness, but with SMB sensibilities in terms of implementation and use.

UserLock offers five primary functions, all working together, to secure access to a Windows Active Directory environment.

  • Two-factor Authentication (2FA) – Secure two-factor authentication on Windows logon, RDP and VPN connections. Define the circumstances to verify the identity of all users, using one-time passwords.
  • Contextual Access Policy & Restrictions – Restrictions can be established to limit when an account can logon, from which machines, devices or IP addresses, using only approved session types (including Wi-Fi, VPN and IIS) and number of concurrent sessions, etc. helping to reduce the risk of inappropriate use.
  • Real Time Monitoring & Reporting – Every logon is monitored and tested against existing policies to determine if a logon should be allowed. Full visibility gives insight into any anomalous account behavior that may indicate a potential threat. Reporting helps ensure detailed insights for any investigations.
  • IT and End-User Alerting – Notifies IT and the user themselves of inappropriate logon activity and failed attempts.
  • Immediate Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.

Download this White Paper in PDF

PDF Version - 180 KB

Download the fully functional free trial and see for yourself
how easily UserLock can help you secure network access.

Get a free trial