Your users can download the JumpCloud Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the iOS App Store or the Google Play Store. Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code MFA.
This KB article will answer common questions and offer suggestions to troubleshoot any issues that may arise during your team’s use of JumpCloud Protect.
Frequent Questions and Answers
JumpCloud Protect is available in all JumpCloud tiers.
JumpCloud Protect can be downloaded from the iOS App Store or the Google Play Store.
iOS 13 and above, and Android 8 and above.
The JumpCloud Protect mobile app may not be available in restricted countries such as Iran, Cuba, Syria, Sudan, North Korea, Russia, Belarus, and the Crimean region. Google Playstore is blocked in China, so users will not be able to download JumpCloud Protect on Android devices there. Even when downloaded elsewhere, JumpCloud Protect push won't work when traveling to certain countries.
No. Currently, users can only enroll one device at a time with JumpCloud Protect. If they get a new device, they should enroll the new device before wiping the old, or log in using another factor to enroll the new device. If those steps are missed they will need to contact admin for enrollment on the new device.
No. Your users need to enroll in each type of MFA separately.
No, enrollments cannot be transferred. Users must unenroll the old device before enrolling the new device through the JumpCloud User Portal.
JumpCloud Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected.
Users can opt out of diagnostic and usage data collection from the Settings > Privacy screen.
Yes. If you decide to use JumpCloud Protect for verification code MFA in the future, your users will need to enroll in it using the JumpCloud User Portal. Once they do so, their current enrollment will be reset and they will use JumpCloud Protect.
JumpCloud Protect is highly secure and uses asymmetric key cryptography for security. When a device is enrolled and activated, an asymmetric key pair (public and private key) is generated. The private key is stored securely on the device while the public key is stored on JumpCloud’s servers. The push requests and responses are then signed by the key pair making the transactions highly secure.The communication between the mobile app and JumpCloud’s servers is encrypted. All communication is sent through https connections using TLS.
Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally. MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.
Here are ways to protect your organization against such an attack:
- An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks.
- Enable biometric on JC Protect for an extra layer of identity protection.
- Leverage Conditional Access Policies for additional safeguards.
- Educate users to check application and location information before approving a push request, and to deny any request they suspect is fraudulent.
- Keep in mind that location information does not have 100% accuracy, especially at the city level.
JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights.
Troubleshooting Issues and Resolutions
See Troubleshoot: JumpCloud Protect.