These instructions show you how to set up multi-factor authentication (MFA) for users of JumpCloud using the JumpCloud User Portal. Once setup for a user, MFA can be used to authenticate that user when signing into the JumpCloud User Portal, or other resources protected by JumpCloud MFA.
About JumpCloud MFA
JumpCloud MFA utilizes authenticator codes known as Time-based One-Time Password (TOTP) Tokens. Once MFA is setup for a user, the user will be required to enter these tokens when signing into a JumpCloud resource that has been enabled for MFA protection by a JumpCloud Admin. Each user is set up independently, and will have their own TOTP tokens. This process requires a TOTP application that will generate these tokens for the user, generally using a mobile device. Any application that can generate a six-digit SHA-1 based TOTP token should be able to be used with JumpCloud MFA. Several apps qualified to work with JumpCloud are:
Preparing Your Users
We advise administrators to educate their users in advance of enabling MFA to prevent potential confusion over the change in workflow.
- Once an admin enables JumpCloud MFA for a user, the user will receive an email notifying them they are now required for MFA, and notify them of how long they have to enroll in MFA before the MFA token is required at login to the user portal.
- Following the link in the email, or logging into the User Portal will give the user access to their TOTP key and QR code to scan into a qualified MFA app token generator app, until their enrollment period expires.
- Once the user completes MFA setup, the JumpCloud User Portal will require email address, password, and TOTP Token at sign in. Additionally, for any MFA-enabled systems, users will be prompted for MFA when logging into those systems once they have completed setup.
Requiring Multi-Factor Authentication on an Individual User Account
- Edit a user or create a new user in the Admin Console.
- Enter other user configuration details.
- Select the 'Require Multi-Factor Authentication for User Portal' checkbox.
- Select the number of days the user has to enroll in MFA before they will be required to have MFA at login. The number of days can vary between 1 and 365, and will be defaulted to 7 days.
- Select ‘Save' to save the user.
- New users will receive a welcome email if their initial password was not set, and will be prompted to complete their MFA setup when they next login to the User Portal.
- Existing users will receive an email notifying them they have been requested to set up MFA.
Requiring Multi-Factor Authentication on Existing Users in Bulk Actions
- Select users you would like to require MFA for.
- Expand the “more actions” drop down and select “Require MFA on User Portal”
- Select the number of days the user has to enroll in MFA before they will be required to have MFA at login. The number of days can vary between 1 and 365, and will be defaulted to 7.
- Select “require” to add this requirement to the selected users.
Extending Time for a User to Enroll in MFA
If a user has been locked out because their allotted time for MFA enrollment has expired, or is about to expire, you may want to extend the enrollment period for the user.
- Edit the user that needs an extension in the Admin Console.
- Select the user's MFA status indicator to show the MFA options menu.
- Select the 'Reset MFA' option from the menu to display the reset MFA modal.
- Specify the time period allotted for the user to enroll, starting from today, and submit.
- The user will be notified of the enrollment period change, and subsequently will follow the standard MFA enrollment process.
In Case of Device Loss or Failures
Because the device containing the TOTP key may be a single point of failure, in case of loss or breakage, it's recommended to record and store the TOTP value in a safe place as a backup. Most apps that generate TOTP tokens allow the TOTP key to be entered manually, which means it can be typed in rather than scanning the QR code in order to restore the ability to generate tokens on a new device or app.
Alternatively, if a user loses their ability to generate tokens, a JumpCloud administrator can perform an MFA reset for the user through either the Users list bulk actions or the Details tab for a single user in order to clear the previous TOTP key, and re-enter an enrollment period.
- Edit the user that needs the MFA reset.
- Select the user’s MFA status to display the MFA operations menu.
- Select ‘Reset MFA on User’ from the menu.
- A window will appear.
- Select the number of days they will have to complete their setup.
- Press the ‘Reset’ button.
- The user should be able to now login without MFA, and be prompted to reconfigure their MFA prior to the enrollment expiration.
MFA Resource Availability
MFA resource protection is available on the following JumpCloud-managed resources:
- User Portal login
- Mac desktop login
- Linux SSH login
- SSO/SAML application login
- Admin Portal login*
Once MFA setup has been completed by a user, MFA will be enforced for that user on any MFA-protected resource. For example, if MFA is enabled for a given Linux server, and User A has completed MFA setup, they will be prompted for a token when signing into the protected Linux server. If User B has not completed MFA setup, they will not be prompted when signing into the same Linux server.
* Admin Portal MFA protection follows a separate MFA enrollment process
Note: Active Directory owned users created using the JumpCloud Active Directory Bridge do not have the option to enable Multi-factor Authentication for the User Portal.
User Workflow - Initial Setup
- The user will receive an email, stating they are required to setup MFA for JumpCloud.
- They will click the link in the email OR log into the JumpCloud User Portal directly.
- They will be prompted for username and password.
- They will press the ‘user login’ button.
- Username and password will be authenticated.
- They will be prompted to set up multi-factor authentication, including links to Google Authenticator on the iOS App Store, and the Google Play Store. They are free to dismiss this prompt until the enrollment period ends. Upon dismissing the prompt, they will be reminded of the number of days remaining in enrollment.
- Upon pressing ‘continue’, they will be provided a QR code and TOTP key string that can be used to configure a qualified MFA token generator app, and prompted for their first TOTP token produced by the token generator app.
- For backup purposes, this would be the time to copy and paste their the TOTP key string below the QR code and store it in a secure location.
- Upon submission, they will be notified that MFA setup is complete
User Workflow - Expiring Enrollment
When a user has an enrollment that is expiring, they will be sent a reminder 24 hours in advance notifying them that MFA enrollment will expire. Once their enrollment has expired, they will be locked out of the User Portal until their MFA requirement is removed by an administrator or their enrollment time is extended using the ‘Extending Time for a User to Enroll in MFA’ process above.
User Workflow - User Portal Login After MFA Setup Completed
Once a user has completed MFA setup, the admin has required MFA on the user portal for the user, and the Google Authenticator is installed and linked with the user account, the login experience will be as follows for the User Portal:
- The user will go to https://console.jumpcloud.com
- They will be prompted for username and password
- They will press the ‘user login’ button
- Username and password will be authenticated
- They will be prompted for the Multi-Factor Authentication verification code, which they should populate with their TOTP token from the qualified MFA app of they have chosen (e.g. Google Authenticator). The user will have 60 seconds to input the digits from their MFA app into the JumpCloud OTP field. Nearing the end of the 60-second cycle, their MFA app will indicate the current key is about to expire, and the user should wait until a fresh key is generated.
- They will press the ‘user login’ button
- Their TOTP token will be authenticated
- They will be logged into the User Portal
- How to Enable Multi-factor Authentication for Mac
- How to Enable Multi-factor Authentication for Linux SSH
- How to Enable Multi-factor Authentication for JumpCloud Admins
- How to use Google Authenticator with JumpCloud MFA