Use Multi-Factor Authentication (MFA) with JumpCloud to secure user access to your organization’s resources. Configure TOTP MFA to guard the User Portal, RADIUS, the Admin Portal, and Mac, Linux, and Windows systems.
About JumpCloud TOTP MFA
JumpCloud TOTP MFA uses authenticator codes called Time-based One-Time Password (TOTP) tokens. After TOTP MFA is configured for a user, that user is required to enter a TOTP token when they log in to a JumpCloud resource that is protected by TOTP MFA. Each user is set up independently, and has their own TOTP tokens. A TOTP application generates tokens for users, generally from a mobile device. Any application that can generate a six-digit SHA-1 based TOTP token can be used with JumpCloud TOTP MFA. Some apps qualified to work with JumpCloud are:
- JumpCloud Protect
- Google Authenticator
- Duo Mobile
- Yubico Authenticator for Desktop (for use with YubiKey)
TOTP MFA Resource Availability
TOTP MFA resource protection is available on the following JumpCloud-managed resources:
- User Portal login
- Windows login
- Mac login
- Linux SSH login
- SSO/SAML application login
- RADIUS VPN networks
- Admin Portal login*
After a user configures TOTP MFA, they are required to enter a TOTP token for any TOTP MFA-protected resource. For example, if TOTP MFA is enabled for a Linux server, and User A has completed TOTP MFA setup, they are prompted for a TOTP token when they sign in to the protected Linux server. If User B hasn't completed TOTP MFA setup, they aren't prompted when signing into the same Linux server.
Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.
* Admin Portal TOTP MFA protection follows a separate MFA enrollment process.
Preparing Your Users
We advise administrators to educate their users before enabling TOTP MFA to prevent potential confusion over the change in their user workflow.
- After an admin enables JumpCloud TOTP MFA for a user, the user receives an email notifying them they are now required to use TOTP MFA, and tells them how long they have to enroll in TOTP MFA before the TOTP token is required to log in to the User Portal and other protected resources.
- Users can follow the link in their setup email, or can log in to the User Portal to start TOTP setup. The setup wizard gives them a TOTP key and QR code to scan with a qualified TOTP app.
- After a user configures TOTP for their account, the JumpCloud User Portal requires username, password, and TOTP Token to log in. Users are also prompted for a TOTP token when logging in to any other resources protected by TOTP MFA, such as RADIUS and their system.
TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin; admin attempts are limited to five. If settings are selected, that will count toward password or MFA attempts.
Viewing the Status of User TOTP Enrollment
On the Users page, use the Columns dropdown to add the MFA: TOTP and MFA: User Requirement columns to confirm which users have completed TOTP enrollment.