Multi-factor authentication

UserLock allows you to implement Multi-Factor Authentication (MFA) in your environment which requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). TOTP are widely accepted and aren't easily bypassed like SMS text based authentication. Examples include Google Authenticator and LastPass Authenticator.

Once enabled, you have different options for ensuring a smooth implementation of MFA.

Connections on Workstation or Server operating systems:

In the ‘Workstation connections’ and ‘Server connections’ tabs, you can set:

• The connection types: local and / or RDP sessions.
• The frequency you want.
  • “Never”: MFA never asked.
  • “When logging on to a new machine (once per machine).
  • “At every logon”
  • “At the first logon of the day (once per machine / server)”: MFA will be asked for the first logon of the day for each machine.
  • “Every <number> day(s)”: The same as the previous one, replacing every day with <number> day(s).
  • “After <number> day(s) since last logon on this machine / server”: MFA will be asked if the user logs on a computer on which they haven’t logged on to since <number> of day(s).

Skip

The “Skip” feature allows the end user to click “Skip” in the MFA configuration dialog. This is designed to allow flexibility during the onboarding process. The recommended setting is 2-3 weeks.

If enabled, the end user can choose it at the time of configuration:

If this option is chosen, the end user must select in the dialog box below the reason why he wanted to "Skip" the MFA:

• Protected accounts
  • Type
  • General
  • Multi-factor authentication
  • Notifications
  • Workstation restrictions
  • Hour restrictions
  • Time quotas
  • Group
  • Priority management