Preparing Your Users
We advise administrators to educate their users in advance of the change to prevent potential confusion over the change in workflow.
- With MFA enabled, the JumpCloud User Portal will require email address, password and TOTP Token.
- Upon enabling MFA for a user, they will receive an email "MFA Now Enabled on your JumpCloud Account". This workflow will force a password reset and give them access to their TOTP key and QR code to scan into a token generator.
- Google Authenticator is highlighted during this process, if an alternative generator is desired, refer to Generating TOTP Tokens and Token validation for a list of qualified apps and how to validate usage.
Note: If this is done during user creation, and 'Specify initial password, rather than sending a welcome email' is selected, no email is sent to the recipient. If the user has a valid email address, use 'resend email' or advise to use the self service password reset.
1. Enter the User Configuration
2. Select the 'Enable Multifactor Authentication on the JumpCloud User Portal' checkbox, then 'save user'.
User Workflow - Initial Setup
1. The employee will receive a 'JumpCloud Password Reset Notification' email
2. They will click 'Change Password in this email and be directed to a Change Password page, where they will enter a new password
3. Once the password is accepted, the user will be redirected to a page instructing them how to install and configure Google Authenticator and how to scan the provided QR code:
4. After clicking Continue, the user will logged into the JumpCloud User Portal without entering in a verification code. Subsequent logins will require the verification code linked to JumpCloud. The Google Authenticator instructions and QR code information are also available from within the JumpCloud User Portal
Google Authenticatora - Enter the Google Authenticator app
b - Tap the "+" to add an account:
c - Select 'Scan Barcode' (which uses the mobile device's camera to scan the QR code) or 'Manual Entry' (which requires the user to manually enter in the 16-digit TOTP code.)
d - The user will then see their account registered within the Authenticator, generating timed/temporary verification codes (explained in the next section)
End-User Experience - Subsequent User Portal Logins
Once the Google Authenticator is installed and linked with the user account, the login experience will be as follows:
1. The employee will go to https://console.jumpcloud.com
2. Upon landing on the JumpCloud User Portal login page, the user will see an additional One-Time Password field
3. The user will open the Google Authenticator app on their mobile device and enter the verification code associated with JumpCloud. The user will have 60 seconds to input the digits from Google Authenticator into the JumpCloud OTP field. Nearing the end of the 60-second cycle, Google Authenticator will blink red and the employee should wait until a fresh key is generated
4. Once the verification code is entered and the password is validated, the user will be able to access the JumpCloud User Portal