MFA settings

This page details the global MFA (Multi-Factor Authentication) settings for UserLock. These options apply to all user accounts for which MFA is enabled.

Published August 28, 2025
Note

  • To access this page, go to Server settings ▸ MFA.

  • You need at least read permission on Server settings to view this page.

MFA methods

Select which MFA methods are available to users.

Multiple methods can be activated at the same time to increase flexibility and security.

Method

Description

Push notifications

Requires the UserLock Push mobile app (iOS/Android). Users receive a prompt on their smartphone to approve or deny login attempts.

Authenticator App

Compatible with any TOTP-based app (e.g., Google Authenticator, Microsoft Authenticator, Authy). Users enroll by scanning a QR code and then use a time-based code for each login.

USB keys

  • Programmable Hardware tokens (e.g., Token2) generating TOTP codes, pre-programmed during setup. Suitable for environments where mobile devices are restricted.

  • HOTP tokens: one-time password tokens based on a counter (e.g., Token2 HOTP). Each use increments the code.

  • YubiKey (OTP mode): Supported YubiKeys can generate one-time passwords. The user inserts the key and taps it to input the MFA code.

Alternative MFA method

Allows or forces users to register a secondary MFA method in case the primary one is unavailable.

Recovery codes

Provide users with backup access when their primary MFA method is unavailable.

  • Each user receives a set of single-use codes (between 4 and 20) during MFA enrollment.

  • Codes are generated automatically and must be stored securely by the user.

  • Each code can only be used once and acts as a temporary substitute for the second factor.

MFA for websites on IIS servers

UserLock can enforce MFA for web applications hosted on Microsoft IIS using its integrated UserLock IIS Agent.

  • Adds a second layer of authentication after Windows authentication without modifying the application itself.

  • Users are prompted for MFA based on configured policies.

  • The IIS Agent must be installed and configured on the web server.

  • MFA must be enabled for the targeted users in UserLock.

Useful resources

"Ask for help" button

The Ask for help button lets users request administrator assistance if they cannot complete MFA verification (e.g., lost device, no network access).

This option is available directly on MFA prompts and during enrollment.

  • Sends a notification (email or popup, depending on configuration) to UserLock administrators.

  • Admin recipients can be defined manually (via LDAP search for machine names or email addresses).

Requests appear on the MFA help requests page in the Activity section, where administrators can:

  • Temporarily disable MFA for the user.

  • Reset the user’s MFA configuration.

  • Mark the request as resolved once the issue is handled.