Support Center

How to Enable Multifactor Authentication for the JumpCloud User Portal

Note: Active Directory owned users created using the JumpCloud Active Directory Bridge do not have the option to enable Multifactor Authentication for the User Portal.

JumpCloud provides Multifactor Authentication (often called 'MFA') for providing additional security to both the Admin Portal and the JumpCloud User Portal. Multifactor authentication refers to the use of more than one "factor" to verify identity when accessing their JumpCloud Portal. For example, a username and password would be one "factor"; these are things that you know. Adding another factor, such as something you have , increases security in case a password is compromised. Because both factors would have to be compromised (i.e. an attacker discovers your password and also steals your phone,) the overall security of accessing the JumpCoud service is strengthened. In short, multifactor authentication significantly reduces the likelihood that someone will be able to gain access to an account.

JumpCloud relies on your username and password, and offers optional support for multifactor authentication using the Google Authenticator app, available for Android, iOS, and BlackBerry phones. Once you link your Google Authenticator app to your JumpCloud account, you are required to enter the appropriate time-based verification code generated by the authenticator when you log in to JumpCloud. This step-by-step guide will explain the process of setting up multifactor authentication, and provide information about how your users will experience the sign-in flow. 

Preparing Your Userbase

While JumpCloud will provide instructions to your users explaining Google Authenticator setup, we advise administrators to educate their users in advance of the change, to ensure they are prepared and ready to gain access efficiently to the JumpCloud User Portal. Some guidance:

Communicate that the JumpCloud User Portal will require the standard username/email and password and a multifactor verification code generated by their Google Authenticator. 
Provide instructions on where to get the Google Authenticator software, which can be found here on the Google Support Forums.
Indicate that JumpCloud will issue an email when multifactor authentication is turned on for their account. The email will force a reset of their password, and walk them through configuring their Google Authenticator with a unique QR code (or TOTP key,) which will link their JumpCloud account with Google Authenticator and begin to generate synchronized verification codes. 

Enabling Multifactor Authentication on a User Account

New User Creation

1. Create a New User in the JumpCloud Admin portal
2. Select the 'Enable Multifactor Authentication on the JumpCloud User Portal' checkbox

3. Click 'Save User'

Note: Upon hitting 'Save User', an email will be sent to the user to complete their account registration and guide them through instructions on accessing Google Authenticator, as well as information about how to log in to the JumpCloud User Portal with the verification code.  Note: If 'Specify initial password, rather than sending a welcome email' is selected, no email is sent to the recipient. 

Existing Users

1. Enter the User Details view for the user for whom you wish to require multifactor authentication 
2. Select the 'Enable Multifactor Authentication on the JumpCloud User Portal' checkbox

3. Hit 'Save User'.

Note: When MFA is enabled for a user, the user will receive an email to reset their password, as well as instructions for installing Google Authenticator. They will also receive instructions on how to sign-in to the JumpCloud User Portal with their verification code.

The Initial End-User Experience

Regardless of whether multifactor authentication has been enable on a new or existing user account, the following user experience occurs:

1. The employee will receive a 'JumpCloud Password Reset Notification' email
2. They will click 'Change Password in this email and be directed to a Change Password page, where they will enter a new password

3. Once the password is accepted, the user will be redirected to a page instructing them how to install and configure Google Authenticator and how to scan the provided QR code:

4. After clicking Continue, the user will logged into the JumpCloud User Portal without entering in a verification code. Subsequent logins will require the verification code linked to JumpCloud.  The Google Authenticator instructions and QR code information are also available from within the JumpCloud User Portal

5. With Google Authenticator installed, the QR code must be scanned and the account added to the application in order to begin generating verification codes. To add the account to Google Authenticator:

a - Enter the Google Authenticator app
b - Tap the "+" to add an account:

c - Select 'Scan Barcode' (which uses the mobile device's camera to scan the QR code) or 'Manual Entry' (which requires the user to manually enter in the 16-digit TOTP code.) 
d - The user will then see their account registered within the Authenticator, generating timed/temporary verification codes (explained in the next section)

End-User Experience - Subsequent User Portal Logins
Once the Google Authenticator is installed and linked with the user account, the login experience will be as follows:

1. The employee will go to  
2. Upon landing on the JumpCloud User Portal login page, the user will see an additional One-Time Password field

3. The user will open the Google Authenticator app on their mobile device and enter the verification code associated with JumpCloud. The user will have 60 seconds to input the digits from Google Authenticator into the JumpCloud OTP field. Nearing the end of the 60-second cycle, Google Authenticator will blink red and the employee should wait until a fresh key is generated

    4. Once the verification code is entered and the password is validated, the user will be able to access the JumpCloud User Portal

Last Updated: Aug 04, 2016 11:02AM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found