MFA Guide for Admins

Use Multi-factor Authentication with JumpCloud to secure user access to your organization’s resources. With JumpCloud, Admins have the option to use JumpCloud Go, JumpCloud Protect (Push MFA), Verification Code (TOTP) MFA, WebAuthn MFA, and Duo Security MFA to strengthen security in their organization. 


After you set up MFA, configure a Conditional Access Policy to relax or restrict access to resources based on conditions like a user's identity and the network and device they’re on. Learn more in Get Started: Conditional Access Policies

About JumpCloud Go MFA

What is JumpCloud Go MFA?

Enable secure passwordless authentication, letting users verify their identity using their device authenticator (Apple Touch ID or Windows Hello).

When a user logs in to a resource protected with JumpCloud Go, they need to use their device authenticator to confirm their identity.


Google Chrome and the JumpCloud Go browser extension are required.

Using JumpCloud Go MFA

You can use JumpCloud Go to protect the User Portal and SSO applications. During registration, JumpCloud Go uses 3 authentication factors to confirm a user’s identity. For subsequent verifications, JumpCloud Go always uses two factors, but those factors depend on if biometrics are configured.


Users need to configure biometrics on their device authenticator to be able to utilize them with JumpCloud Go. Otherwise, the device password will be used.

About JumpCloud Protect Mobile Push MFA

What is Push MFA?

With Push MFA, users can authenticate with a push notification that’s sent to their mobile device. 

When a user logs in to a resource that’s protected by Push MFA, they need to provide their username, password, and approve the login request from a push notification they get on their mobile device. 

Push MFA requires users to download the JumpCloud Protect app on their mobile device. Learn more in JumpCloud Protect for Admins.

Using Push MFA

You can use Push MFA to protect the User Portal, SSO applications, Password Reset, Devices (as a second factor), and RADIUS, and LDAP. 


JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Admins can turn this off, or increase the limit for maximum concurrent attempts, in MFA Configurations. 

Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights under the event name push_mfa_attempt_failed; the error message is ‘too many concurrent push requests’.

About Verification Code (TOTP) MFA

What is Verification Code (TOTP) MFA?

Verification Code (TOTP) MFA uses authentication codes called Time-based One Time Passwords (TOTP). These codes are generated from an authenticator application on a mobile phone or computer. We recommend using JumpCloud Protect for TOTP, but other apps, like Google Authenticator or Yubico Authenticator, can also be used.

When a user logs in to a resource that’s guarded by Verification Code MFA, they must provide their username, password, and a TOTP code generated by the authenticator application on their phone or computer. 

Using Verification Code (TOTP) MFA

You can use Verification Code (TOTP) MFA in JumpCloud to protect the User Portal, the Admin Portal, RADIUS, LDAP, and Mac, Linux, and Windows systems. See the following articles for instructions on how to set up Verification Code MFA for these resources:


Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.

Find out more about some of the authenticator applications you can use with JumpCloud TOTP MFA:

Share Set up an Authenticator App with your organization’s users. 

About WebAuthn MFA

What is WebAuthn MFA?

WebAuthn MFA lets users authenticate using security keys like YubiKey and Titan, or with a device authenticator, which is usually a device biometric such as Apple Touch ID or Windows Hello.

When a user logs in to a resource that’s guarded by WebAuthn MFA, they must provide their username, password, and their security key or device authenticator. 


On Windows devices, the authenticator being enrolled as a device authenticator must already be enrolled in Windows Hello, otherwise enrollment will fail. 

Using WebAuthn MFA

You can use WebAuthn MFA to protect the User Portal, SSO applications, and password resets made from the User Portal. 

About Duo Security MFA

What is Duo Security MFA?

Duo Security MFA lets users authenticate using push notifications, phone callbacks, and mobile passcodes provided by Duo. Admins can choose the authentication options users have for Duo Security MFA.

When a user logs in to a resource that’s guarded by Duo Security MFA, they must provide their username, password, and choose an authentication option. Users then provide the factor required authentication method. 

Using Duo Security MFA

You can use Duo Security MFA to guard the User Portal, SSO applications, and password resets made from the User Portal. 


Duo is ending support for the traditional Duo two-factor authentication prompt on March 30, 2024. JumpCloud supports Duo universal prompt and recommends admins update to that method. Read more here:

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case