Transitioning to JumpCloud Protect Push MFA

Written by Kate Lake on August 25, 2021

Share This Article

Updated on September 8, 2022

JumpCloud Protect is JumpCloud’s new multi-factor authentication (MFA) app that verifies identity through single-touch verification available on iOS and Android devices.

A user-friendly alternative to MFA factors like time-based one-time passwords (TOTP), JumpCloud Protect is both easy to install and easy to manage. And rolling your MFA solution in with your directory service and identity provider (IdP) without extra costs means less friction, better management, and bigger savings.

For companies transitioning from Duo Security (or another push MFA provider) to JumpCloud Protect, this blog will help you prepare your users, optimize the setup process, and address common questions. 

Transitioning to JumpCloud Push MFA from Duo Security MFA

1) Prepare your users for the switch. 

Let your users know they’re going to start using a different provider for push MFA. Make sure to give users time to adapt; give them plenty of notice and remind them periodically before rollout begins. 

  • Let your users know they’re going to start using a different provider for push MFA. Make sure to give users time to adapt; give them plenty of notice and remind them periodically before rollout begins. 
    • Describe to users how the push notifications will work and in what contexts they can expect to use it. 
    • Tell them that they will be able to use push notifications as well as time-based one-time passwords (TOTP)
    • Let users know the reasoning for the change and how JumpCloud Protect keeps them secure. 
    • Try to contextualize the rollout around user experience changes. While some users may not be interested in the back-end logistics of the switch, most will notice the new logo and different process — and your IT team may get questions and help desk tickets come go-live time if they come as a surprise. Start by showing them what it will look like on their phones so it’s not a surprise.
screen shot of jumpcloud protect on apple device
  • JumpCloud has developed user training designed for IT admins to circulate to users to help them get up and running with JumpCloud Protect. We recommend circulating this ahead of time to plan for different adoption styles and speeds. Some users may need extra preparation and training time to successfully transition to the new tool. Access and circulate the full user training here.

Have users download JumpCloud Protect on the device they want to use for MFA. Download on the iOS App Store or Google Play Store

2) Plan to keep Duo Security MFA enabled until all of your users have set up JumpCloud Protect push MFA.

Users take time to adopt new technology — especially when on their personal devices — and dropping Duo too soon will leave some users without any MFA protection. 

3) Enable JumpCloud Protect push MFA in the Admin Portal. 

  • Log in to the Admin Portal: https://console.jumpcloud.com.
  • Navigate to: SECURITY MANAGEMENT > MFA Considerations.
  • Under the JumpCloud Protect Mobile Push window, toggle the button next to User Portal & SSO Applications to the on position. (Note: to disable, complete the steps above again and toggle this button to off.)
  • Click save changes.

See Setup JumpCloud Protect for Your Org for more information.  

4) When all your users have an Enrolled Push MFA Status, you can disable Duo Security MFA.

Check MFA status in the Admin Portal to monitor who has enrolled in push MFA and who still needs to.

Communicating with Users: Experience and Benefits

Helping users understand what to expect and why the company is implementing a change can help with quick, smooth adoption. Here are some of the high points to include in your corporate messaging when announcing and rolling out the change.

The Experience

It’s important for IT teams to set clear and accurate expectations when introducing or switching tools. With JumpCloud Protect MFA, here are the basics for what users can expect:

  • To log into their User Portal and SSO resources, they’ll receive a push notification on their phone instead of a TOTP code. They’ll have to tap a button in the notification on their phone to verify their identity and complete the login process. 
  • This means they’ll have to download an app to their phone and have the personal device they choose with them during working hours. 

The Benefits

Switching to JumpCloud Protect benefits both users and admins. On the back end, it streamlines MFA management and consolidates tools. It’s free and improves security without adding friction for users. 

For users, push notification MFA is much easier to use than TOTPs. While we recommend communicating this benefit beforehand to spur adoption, users will likely notice the difference as soon as they try the push notifications instead of the TOTP. No finding and typing in a code with a time limit — all they have to do is tap a button that’s already there on their screen.

In addition, JumpCloud Protect can act as the primary source for devices, applications, and RADIUS-based network access that requires TOTP as a second factor. This can help separate personal and business TOTP records, which quickly add up given their prevalence in B2C applications, making it easier for your end users to find the codes they need quickly. And more generally speaking, converging all MFA factors into a single app simplifies the end- user experience and sets up your organization to more easily transition away from TOTP as JumpCloud Protect expands its reach.

Troubleshooting and Tips

  • JumpCloud Protect supports iOS versions 13 and above and Android versions 8 and above. Users should do any updates needed on their phones and make sure they’re using the latest OS version.
  • Users can only use JumpCloud Protect on one device. Make sure they don’t enroll on more than one device.
  • Because push MFA works with the User Portal and SSO applications but not for all resources, push currently cannot be set as the only MFA solution. Another factor, like TOTP, must be enabled as well.
  • Push notifications work with the User Portal and SSO resources. If you currently require TOTP MFA on other resources like RADIUS, they will continue using TOTP.

Additional Resources

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter