Use Multi-Factor Authentication (MFA) with JumpCloud to secure user access to your organization’s resources. Configure TOTP MFA to guard the User Portal, RADIUS servers, the Admin Portal, and user devices.
Considerations:
- TOTP cannot be disabled for device and RADIUS server authentication.
- If TOTP is disabled for your org, you must have JumpCloud Protect Mobile Push or Duo Security MFA enabled.
Tip:
Give your users secure and convenient access to their resources with JumpCloud Protect.You can also secure user access to resources with Duo MFA and WebAuthn MFA. See MFA Guide for Adminsto learn more.
About JumpCloud TOTP MFA
JumpCloud TOTP MFA uses authenticator codes called Time-based One-Time Password (TOTP) tokens. After TOTP MFA is configured for a user, that user is required to enter a TOTP token when they log in to a JumpCloud resource that is protected by TOTP MFA. Each user is set up independently, and has their own TOTP tokens. A TOTP application generates tokens for users, generally from a mobile device. Any application that can generate a six-digit SHA-1 based TOTP token can be used with JumpCloud TOTP MFA. Some apps qualified to work with JumpCloud are:
TOTP MFA Resource Availability
TOTP MFA resource protection is available on the following JumpCloud-managed resources:
- User Portal login
- Windows login
- Mac login
- Linux SSH login
- SSO/SAML application login
- RADIUS VPN networks
- Admin Portal login*
After a user configures TOTP MFA, they are required to enter a TOTP token for any TOTP MFA-protected resource. For example, if TOTP MFA is enabled for a Linux server, and User A has completed TOTP MFA setup, they are prompted for a TOTP token when they sign in to the protected Linux server. If User B hasn't completed TOTP MFA setup, they aren't prompted when signing into the same Linux server.
Note:
Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.
*Admin Portal TOTP MFA protection follows a separate MFA enrollment process.
Preparing Your Users
We advise admins to educate their users before enabling TOTP MFA to prevent potential confusion over the change in their user workflow.
- After an admin enables JumpCloud TOTP MFA for a user, the user receives an email notifying them they are now required to use TOTP MFA, and tells them how long they have to enroll in TOTP MFA before the TOTP token is required to log in to the User Portal and other protected resources.
- Users can follow the link in their setup email, or can log in to the User Portal to start TOTP setup. The setup wizard gives them a TOTP key and QR code to scan with a qualified TOTP app.
- After a user configures TOTP for their account, the JumpCloud User Portal requires username, password, and TOTP Token to log in. Users are also prompted for a TOTP token when logging in to any other resources protected by TOTP MFA, such as RADIUS and their device.
Note:
TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin; admin attempts are limited to five. If settings are selected, that will count toward password or MFA attempts.
Learn more:
Viewing the Status of User TOTP Enrollment
On the Users page, use the Columns dropdown to add the MFA: TOTP and MFA: User Requirement columns to confirm which users have completed TOTP enrollment.
Setting Up TOTP MFA
- ReviewTOTP MFA Resource AvailabilityandPreparing Your Users.
- Configure TOTP MFA for User Accounts.
- Understand the User Workflow with MFA.
- Enable MFA forRADIUSandDevices.
- Enable MFA for the Admin Portal.
Back to Top
FAQs
Enabling TOTP MFA at the Org Level
How do I set up TOTP MFA? ›
Go to User Management > Users. Select one or more users. Click more actions, then select Require User MFA. Specify the number of days the user has to enroll in TOTP MFA before they are required to have a TOTP token at login.
How to set up Multi-Factor Authentication for your org? ›
To enable MFA for all internal users in your org:
- From Setup, in the Quick Find box, enter Identity , and then select Identity Verification.
- Select Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org.
TOTP stands for Time-based One-Time Passwords and is a common form of two-factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input.
How do I set up my MFA authentication? ›
- Step 1 - sign into Office 365 on your computer or laptop. ...
- Step 2 - installing the authenticator app on your mobile phone. ...
- Step 3 - return to your personal or.
- Step 4 - using your mobile.
- Step 5 - testing the authentication is working on your computer.
Identity Platform lets you use a TOTP as an additional factor for MFA. When you enable this feature, users attempting to sign in to your app see a request for a TOTP. To generate it, they must use an authenticator app capable of generating valid TOTP codes, such as Google Authenticator.
What is the URL for MFA setup? ›
Go to the MFA setup for Office 365 using this link - https://aka.ms/mfasetup and sign in using your work email address and your network password. After you sign in, you'll see this page: 2. Click on Next.
How do I set up MFA conditional access? ›
How to set up MFA with Conditional Access
- Log in to your Azure tenant.
- Click Azure Active Directory.
- Click Conditional Access.
- Under Policies, click +New Policy.
- Under Name, fill inn your desired policy name. ...
- Click Users and groups.
- Under Include, select All users, and click Done.
The complete code of the project is provided in this GitHub repository.
- Step 1: Choosing a 2FA Method. ...
- Step 2: Integrating 2FA Library. ...
- Step 3: Setting Up Routes. ...
- Step 4: Creating Homepage. ...
- Step 5: Creating Login Page. ...
- Step 6: Handling User Authentication. ...
- Step 7: Generating TOTP Secret. ...
- Step 8: Displaying QR Code.
Drawbacks of TOTP
Device dependency: Users are dependent on their mobile devices or other authenticator devices to generate TOTP. If the device is lost or unavailable, and backup codes weren't saved, accessing accounts becomes impossible - unless there is a manual support process in place for account recovery.
Microsoft Authenticator for iOS
All Microsoft Entra authentications using phishing-resistant device-bound passkeys, push multifactor authentications (MFA), passwordless phone sign-in (PSI), and time-based one-time passcodes (TOTP) use the FIPS cryptography.
What is the best 2 factor authentication method? ›
Here are some of the most effective 2FA methods: 1 SMS or Text Message Codes widely supported, easy to implement 2 Time-based One-Time Passwords (TOTP) widely supported by authenticator apps 3 Universal Second Factor (U2F) Security Keys: Physical key highly secure against phishing attacks 4 Biometric Authentication: ...
How do I know if my MFA is activated? ›
Sign-in to the Microsoft Entra admin center. Go to All Users residing under Identity»Users and select Per-user MFA. Now, you'd be redirected to the multi-factor authentication page. In the list of users, view the multi-factor authentication status field to see the current MFA status for each user.
How to implement Multi-Factor Authentication? ›
5 MFA implementation tips for organizations
- Choose a vendor. The first step for any organization is to select a vendor for its MFA deployment. ...
- Decide on MFA methods. ...
- Involve employees early and explain MFA benefits. ...
- Prepare for user friction. ...
- Prepare for identity-based attacks.
Add Authenticator as a way to verify sign-in
On your computer, go to Advanced security options in your Microsoft account dashboard. Select Add a new way to sign in or verify. Choose Use an app. Tip: If you don't yet have Authenticator installed, select Get it now.
How do I register my device for MFA? ›
To register your device for use with MFA
Sign in to your AWS access portal. For more information, see Signing in to the AWS access portal. Near the top-right of the page, choose MFA devices. On the Multi-factor authentication (MFA) devices page, choose Register device.
How do I configure an MFA enabled service account? ›
How to configure an MFA-enabled service account
- Log in to portal.azure.com using your Global Administrator credentials.
- Click Azure Active Directory under Azure services.
- Choose Security from the left pane.
- Click MFA under the Manage category in the left pane.
- Choose the Additional cloud-based MFA settings option.
