User Workflow with MFA

After you configure TOTP MFA, use this article to learn about the workflows your users have for the following:

Initial Setup

  1. The user receives an email, stating they are required to set up TOTP MFA for their JumpCloud account.
  2. They click the link in the email or log in to the JumpCloud User Portal.
  3. They are prompted for username and password.
  4. They click the user login button.
  5. Username and password are authenticated.
  6. They are prompted to set up TOTP MFA. They can dismiss this prompt until the enrollment period ends. If they dismiss the prompt, they are reminded of the number of days remaining in enrollment.
  7. If they click continue, they are provided a QR code and TOTP token that can be used to configure a qualified TOTP token app, and are then prompted for their first TOTP token produced by the TOTP token app. 


JumpCloud recommends that your users use the JumpCloud Protect app for TOTP.

  1. For backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.
  2. After successful token submission, the user is notified that MFA setup is complete.

Expiring Enrollment

When a user's enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. See Configure TOTP MFA for User Accounts.

Logging in to the User Portal After MFA Setup

After a user has configured TOTP MFA for their account, an admin has required MFA on the User Portal for the user, and a TOTP app is installed and linked with the user's account, the TOTP MFA User Portal login experience is as follows:

  1. The user goes to
  2. They are prompted for username and password.
  3. They click the user login button.
  4. Username and password are authenticated.
  5. They are prompted for the TOTP token, which they obtain from their TOTP app, such as JumpCloud Protect. The user has 60 seconds to enter the 6-digit token code from their TOTP app into the JumpCloud TOTP field. Nearing the end of the 60-second cycle, their MFA app indicates the current key is about to expire, and the user should wait until a new key is generated.
  6. They click the user login button.
  7. Their TOTP token is authenticated.
  8. They are logged in to the User Portal.


TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin; admin attempts are limited to five. If settings are selected, that will count toward password or MFA attempts.


Here's a guided simulation: User Portal MFA TOTP Login.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case