Unified JumpCloud Protect Experience for Push and TOTP MFA

JumpCloud has introduced an enhanced Push, and Time-Based One-Time Password (TOTP) multi-factor authentication (MFA) capability to secure your access. This update simplifies the enrollment process, providing users with the flexibility and control of both Push, and TOTP methods, while maintaining robust security.

Admins with billing role can enable this feature through the MFA settings in their Admin Portal. Once enabled, existing users will continue to log in using their previously configured MFA methods, alongside the new unified experience. This ensures a seamless experience with no disruption to current user access or workflows.

If a user previously configured TOTP with a third-party authenticator and then switches to JumpCloud Protect TOTP, access from the third-party app will be retained until the user resets the JumpCloud Protect app.

Prerequisites

At least one MFA method is mandatory at all times.

Enrolling Users for the Unified MFA Experience

To enable the JumpCloud Protect unified MFA experience for users in your org:

  1. Log in to the JumpCloud Admin portal.
  2. Go to SECURITY MANAGEMENT > MFA Configurations.
  3. A banner appears at the top, notifying you about merging JumpCloud Protect Push and TOTP. Click Merge.
    A screen showing MFA Configurations screen in JumpCloud Admin portal.
  4. You’ll be prompted to verify before continuing. Click Confirm.
    A screen showing confirmation modal
    The JumpCloud Protect settings for both Push and TOTP authenticator code notifications are now unified and shown in a single view.
    A screen showing MFA Configurations settings in JumpCloud Admin portal.

Note:

Admins have to choose between TOTP with JumpCloud Protect, or TOTP with other vendors (e.g., Microsoft Authenticator), as both cannot be enabled simultaneously.

Unenrolling Users from the Unified MFA Experience

Tip:

The unified MFA experience offers a one-step enrollment for both Push, and TOTP authenticator codes by scanning a single QR code. It’s not recommended to unenroll users from this process.

To unenroll users from JumpCloud Protect Push, and TOTP unified MFA experience:

  1. Log in to the JumpCloud Admin portal.
  2. Go to SECURITY MANAGEMENT > MFA Configurations.
  3. Under Jumpcloud Protect, click Separate.
    A screen showing Unified MFA settings in JumpCloud Admin Portal.
  4. You’ll be prompted to verify before continuing, click Confirm.
    Now the JumpCloud Protect Push, and TOTP authenticator code settings are separated.

When the Admin unenrolls a user, the settings for Push, and TOTP authenticator code MFA are displayed separately in the user portal.

Unified MFA Experience for Users

After an Admin enables the unified MFA experience, a banner is displayed in the User Portal on the Security settings page. In the Multi-Factor Authentication section, the JumpCloud Protect option is Active.
A screen showing Security settings in JumpCloud user portal

Users will receive a notification that their push account has been successfully migrated to JumpCloud Protect. Log in to your JumpCloud Protect App. In the Account Details, both Push, and TOTP MFA details are visible. If the user tries to delete the account, they’ll see a warning message.

If an Admin unenrolls a user from the unified experience, the settings for Push, and TOTP authenticator code MFA will be displayed separately in the user portal. Under Security settings, the user can delete the existing device and/or sign up for another TOTP vendor.

Warning:

Unenrolling from the JumpCloud unified MFA experience is not recommended, as it may prevent users from accessing their JumpCloud account.

FAQ: Unified MFA Experience with JumpCloud Protect

Can TOTP from JumpCloud Protect and TOTP from another authenticator app be used together?

TOTP with JumpCloud Protect and TOTP with other vendors can't be enabled simultaneously for devices and users for install base tenants.

Will this feature be enabled automatically for customers?

Admins will need to opt in to this feature on the Admin portal by going to SECURITY MANAGEMENT > MFA Configurations in order to access the new unified authentication experience in the UI.

Which Admin role can enable the unified experience with Jumpcloud Protect ?


Only Admins with Billing role can enable unified experience with JumpCloud Protect.

After enabling the unified MFA experience, can I choose to use only JumpCloud Push or only JumpCloud TOTP?

Users/Admin can access both JumpCloud Protect TOTP and Push, and cannot have either one within the unified experience, allowing them to choose their preferred authentication method. 

Has the email-based onboarding workflow changed in any way?

No new onboarding workflows for JumpCloud Protect will be introduced via email or other methods. The existing customer onboarding process will remain unchanged and will be revisited in future phases.

If I had previously enabled TOTP using a third-party authenticator before enabling the unified experience, will the previous TOTP method still work after the merge?

Yes. If a user has configured TOTP with a third-party authenticator before upgrade and decides to switch to JumpCloud Protect TOTP, enabling JumpCloud Protect will retain TOTP access from the other vendor’s app (until the user resets JumpCloud protect).

What happens if I’m enrolled with both Protect Push and Protect TOTP, and then I enable the unified experience with Protect?

The next time users log in using Protect Push or Protect TOTP, the User Portal will reflect the updated unified experience.

Can I enable the Unified Experience with JumpCloud Protect if I’m already enrolled with another Vendor/Password Manager for TOTP and not with protect push?

After entering their username and password, users will be prompted for MFA and can log in using their previously enrolled factors, while the User Portal will encourage them to scan the QR code with the JumpCloud Protect mobile app (no manual entry of the 6-digit code required).

Can I reset only TOTP after the unified experience is enabled?

No. With unified experience, we have merged Push and TOTP as a single MFA so the enrollment is a one-step process. Resetting the MFA method is also a one-step process. Both Push and TOTP will be reset simultaneously.

What happens if I’m enrolled with JumpCloud Protect Push & TOTP with other Vender/Password Manager enrolled and then I enable the unified experience with JumpCloud Protect?

After entering their username and password, users will complete MFA with their existing factors. A banner on the landing or Security page will notify them of the update, and both Push and TOTP will be enabled via Protect.

When happens when you merge for unified experience with JumpCloud Protect?

Users will continue logging in using Protect Push and TOTP. In the Security tab, they will see two entries: one for Protect Push and another labeled Authenticator App, which includes a “Reset Authenticator App” button. If a user wishes to switch to a different authenticator app such as Google, Duo, or Authy, they must first click the reset button and authenticate using the TOTP from the JumpCloud Protect app. Once the reset is complete, they can enroll with their preferred third-party authenticator.

What happens to my JumpCloud Admin which are not merged with JC user?

Admins not linked to users will continue using TOTP as their sole MFA factor. For admins linked to users, a one-step enrollment for JC Protect Push and TOTP will be available, inheriting MFA enforcement from the user. Admins not merged with users will only log in via TOTP and will not have access to this feature.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case