Configure TOTP MFA for Your Org

Use Multi-Factor Authentication (MFA) with JumpCloud to secure user access to your organization’s resources. Configure TOTP MFA to guard the User Portal, RADIUS servers, the Admin Portal, and user devices. 


  • TOTP cannot be disabled for device and RADIUS server authentication.
  • If TOTP is disabled for your org, you must have JumpCloud Protect Mobile Push or Duo Security MFA enabled.


Give your users secure and convenient access to their resources with JumpCloud Protect. You can also secure user access to resources with Duo MFA and WebAuthn MFA. See MFA Guide for Admins to learn more. 

About JumpCloud TOTP MFA

JumpCloud TOTP MFA uses authenticator codes called Time-based One-Time Password (TOTP) tokens. After TOTP MFA is configured for a user, that user is required to enter a TOTP token when they log in to a JumpCloud resource that is protected by TOTP MFA. Each user is set up independently, and has their own TOTP tokens. A TOTP application generates tokens for users, generally from a mobile device. Any application that can generate a six-digit SHA-1 based TOTP token can be used with JumpCloud TOTP MFA. Some apps qualified to work with JumpCloud are:

TOTP MFA Resource Availability

TOTP MFA resource protection is available on the following JumpCloud-managed resources:

  • User Portal login
  • Windows login
  • Mac login
  • Linux SSH login
  • SSO/SAML application login
  • RADIUS VPN networks
  • Admin Portal login*

After a user configures TOTP MFA, they are required to enter a TOTP token for any TOTP MFA-protected resource. For example, if TOTP MFA is enabled for a Linux server, and User A has completed TOTP MFA setup, they are prompted for a TOTP token when they sign in to the protected Linux server. If User B hasn't completed TOTP MFA setup, they aren't prompted when signing into the same Linux server.


Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.

*Admin Portal TOTP MFA protection follows a separate MFA enrollment process.

Preparing Your Users

We advise admins to educate their users before enabling TOTP MFA to prevent potential confusion over the change in their user workflow.

  • After an admin enables JumpCloud TOTP MFA for a user, the user receives an email notifying them they are now required to use TOTP MFA, and tells them how long they have to enroll in TOTP MFA before the TOTP token is required to log in to the User Portal and other protected resources.
  • Users can follow the link in their setup email, or can log in to the User Portal to start TOTP setup. The setup wizard gives them a TOTP key and QR code to scan with a qualified TOTP app.
  • After a user configures TOTP for their account, the JumpCloud User Portal requires username, password, and TOTP Token to log in. Users are also prompted for a TOTP token when logging in to any other resources protected by TOTP MFA, such as RADIUS and their device. 


TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin;  admin attempts are limited to five. If settings are selected, that will count toward password or MFA attempts.

Learn more

Viewing the Status of User TOTP Enrollment

On the Users page, use the Columns dropdown to add the MFA: TOTP and MFA: User Requirement columns to confirm which users have completed TOTP enrollment.

Setting Up TOTP MFA

  1. Review TOTP MFA Resource Availability and Preparing Your Users.
  2. Configure TOTP MFA for User Accounts.
  3. Understand the User Workflow with MFA.
  4. Enable MFA for RADIUS and Devices.
  5. Enable MFA for the Admin Portal.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case