By Zach DeMeyer Posted December 6, 2018
Multi-factor authentication, MFA, 2FA, TOTP sign in, or whatever you wish to call it, is taking a hold on the IT security marketplace. It’s for good reason, too; adding another time-sensitive layer to the login process reduces the chances of identity compromise by 80% (Symantec). While there’s no doubt that adding MFA improves security, IT admins struggle with enforcing it with their end users. Because of the extra time it takes to login, many end users dislike it, and will often not set it up when IT asks. JumpCloud has taken this consternation into consideration, with our new MFA enrollment period feature to help assist IT admins with getting it adopted. But first, what is an MFA enrollment period?
MFA Enrollment Periods
When it comes down to brass tacks, requiring MFA across an enterprise is one of the most impactful improvements an IT admin can make to their organization’s network security. It’s remarkable how taking the extra few seconds to utilize a time-based one-time password (TOTP) as a secondary credential can stop many a would-be hacker in their tracks. In a day and age where business transactions can be done in seconds, however, every moment is crucial. The time-sensitive nature of the modern workplace has been one of the biggest detractors to MFA, despite its track record of improving security protocols.
An MFA enrollment period is a configurable time limit on the enforcement of multi-factor authentication for a user account. Given the hesitancy of many towards MFA, the enrollment period gives users a chance to warm up to the MFA process before it becomes a requirement. By allowing IT admins to set a window in which end users can choose to put off their MFA until it becomes a requirement, time that would be spent hounding employees to enable MFA can be used for more important things. End users can also ask questions and learn about why MFA is so valuable to them personally.
A New Addition to the DaaS Suite
MFA enrollment periods for the JumpCloud User Console are one of the newest additions to Directory-as-a-Service. Now, IT admins can easily customize each user’s enrollment periods, making the MFA enabling process easier on end users as well.
If an admin chooses to enforce MFA in their organization, that admin can simply check the box under user accounts to require MFA, and then set the length of the enrollment period (one day to one year) each user has. The user then has until the end of that enrollment period, and then will be locked out their JumpCloud User Console. Admins can also use bulk actions to require, reset or remove MFA across entire user groups. To provide additional clarity, we have improved visibility on MFA status for a user in the JumpCloud Admin Console.
NOTE: This enrollment period setting will not lock a user out of their Mac® or Linux® system(s) with MFA setup. However, once the user has setup their MFA on the User Console it will automatically carry through and enable their MFA on the systems if that is set.
The user will then be required to enable MFA on their account, using either an app-based MFA TOTP tool, such as Google Authenticator, or with a set of generated tokens as their secondary credential. Additionally, the MFA enabling process is not dependent on email links, no longer requires a password reset, and only uses two generated TOTP token at time of enablement for user simplicity.
Try JumpCloud’s New MFA Enrollment Period Today
If the new MFA requirement process in the Directory-as-a-Service suite seems interesting to you and your organization, simply go to the Admin console to try it today. If you’d like to see how the feature works without affecting your main organization, you can sign up for ten free users in a new JumpCloud instance to experiment. Want to learn more about MFA enrollment? Check out this knowledge base article.