Configure TOTP MFA for User Accounts - JumpCloud (2024)

Table of Contents
Require MFA on Users Requiring Multi-factor Authentication on an Individual User Account Requiring TOTP MFA on Multiple User Accounts Extending Time for a User to Enroll in TOTP MFA Resetting TOTP MFA in Case of Device Loss or Failures View User TOTP MFA Status Disabling TOTP MFA for the User Portal Re-enabling TOTP MFA for the User Portal FAQs

Use Multi-Factor Authentication with JumpCloud to secure user access to your organization’s resources. This guide shows you how to set up TOTP Multi-factor authentication (MFA) for JumpCloud users. TOTP MFA can be used to authenticate to the User Portal and other JumpCloud-managed resources like devices. See Configure MFA for Your Orgbefore you begin.

Watch how to set up JumpCloud TOTP MFA for user accounts and the Admin Portal in Tutorial: TOTP MFA for Users and Admins.

You can also secure user access to resources with JumpCloud Protect, Duo MFA, and WebAuthn MFA. See MFA for Adminsto learn more.JumpCloud recommends usingJumpCloud Protectfor your MFA solution.

Require MFA on Users

Requiring Multi-factor Authentication on an Individual User Account

To require MFA on an individual user account:

  1. Go to User Management > Users.
  2. Select a user to view their Details. See Getting Started: Users.
  3. In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal.
  4. Specify the number of days the user has to enroll in TOTP MFA before they are required to have MFA at log in. You can specify a number of days between 1 and 365. The default value is 7 days. The enrollment period applies only to TOTP MFA and not to other MFA factors.
  5. Click save user. After you save, users are notified in an email and are prompted to set up TOTP MFA the next time they log in to their User Portal.
  6. During enrollment, the user’s details indicate how much time is remaining on their enrollment period.
  7. After the enrollment period expires, the user is locked out of the User Portal.

Requiring TOTP MFA on Multiple User Accounts

To require MFA on multiple user accounts:

  1. Go to User Management > Users.
  2. Select one or more users.
  3. Click more actions, then select Require User MFA.
  4. Specify the number of days the user has to enroll in TOTP MFA before they are required to have a TOTP token at login. You can specify a number of days between 1 and 365. The default value is 7 days.
  5. Click require to require TOTP MFA for the selected users. After you require TOTP MFA for the selected users, they are notified in an email and will be prompted to set up TOTP MFA the next time they log in to their User Portal.

Extending Time for a User to Enroll in TOTP MFA

You can extend enrollment periods for users by resetting their TOTP MFA.

To extend a user's enrollment period:

  1. Go to User Management > Users.
  2. Select a user to view their Details panel.
  3. Click the user’s TOTP MFA status to see the TOTP MFA options menu.
  4. Select the Reset TOTP MFA option from the menu to display the Reset TOTP modal.
  5. Specify the time period the user has to enroll, starting from today, and then click reset.

After you reset TOTP MFA for a user, they are prompted to set up TOTP for their account.

Resetting TOTP MFA in Case of Device Loss or Failures

If users lose the device containing their TOTP app, admins can reset TOTP MFA for their account.

To reset TOTP MFA for a user:

  1. Go to User Management > Users.
  2. Select a user to view their Details panel.
  3. Click the user’s TOTP MFA status to see the TOTP MFA options menu.
  4. Select the Reset TOTP MFA option from the menu to display the Reset TOTP modal.
  5. Specify the time period the user has to enroll, starting from today, and then click reset.

After you reset TOTP MFA for a user, they are prompted to set up TOTP for their account.

See Also
Permissions to reset MFA on a user account - Microsoft Q&A

See Enable TOTP MFA for Devicesfor information about enabling TOTP MFA on your JumpCloud managed systems.

View User TOTP MFA Status

The Users list MFA column, which defaults to TOTP, shows you a user's TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:

  • A user has enrolled sucessfully in TOTP MFA.
  • A user has not completed TOTP enrollment.
  • A user is in a TOTP MFA enrollment period (dates included).
  • A user’s TOTP MFA enrollment period has expired (expiration date included).
  • A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.

You can also view a user's MFA status in their user details.

You can filter the Users list to show MFA status and requirement. See Get Started: Users.

To see users in an enrollment period, filter apply both the required and inactive MFA status filters. Likewise, to see users with an expired enrollment period, also apply both the required and inactive MFA status filters.

Disabling TOTP MFA for the User Portal

Admins can disable TOTP MFA from guarding the User Portal. When TOTP MFA for the User Portal is disabled, other TOTP MFA protected resources like systems, RADIUS, and the Admin Portal aren’t impacted.

Considerations:

  • TOTP MFA is enabled by default.
  • At least one MFA factor must be enabled at all times. It’s not possible to disable all MFA factors.
  • To successfully disable TOTP MFA, make sure Duo MFA is enabled.Note: WebAuthn requires TOTP MFA or Duo MFA to be enabled. So, WebAuthn can’t be the only other factor that’s enabled when you disable TOTP MFA.

To disable TOTP MFA for the User Portal:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to Security Management > MFA Configurations.
  3. In the TOTP Configuration section, click Disable.

Re-enabling TOTP MFA for the User Portal

Admins can re-enable TOTP MFA to guard the User Portal. Re-enabling TOTP MFA for the User Portal doesn’t impact other TOTP MFA protected resources like systems, RADIUS, and the Admin Portal.

Considerations:

  • When TOTP MFA is re-enabled for the User Portal, admins can’t reopen an enrollment period. This means:
    • Users who don’t set up TOTP MFA in their enrollment period are locked out.
    • Users in their enrollment period remain in enrollment.
  • When TOTP MFA is re-enabled for the User Portal, Admins need to require MFA on their users from the More Actions Menu or from the User Details panel.
  • Admins can enable multiple factors for the User Portal.
  • Users can choose their MFA method when more than one factor is enabled.

To re-enable TOTP MFA for the User Portal:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to Security Management > MFA Configurations.
  3. In the TOTP Configuration section, click Enable.

Next Steps:

  1. UnderstandUser Workflow with MFA.
  2. Enable MFA forRADIUSandDevices.
  3. Enable MFA for the Admin Portal.

Configure TOTP MFA for User Accounts - JumpCloud (2)

Note:

TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin; admin attempts are limited to five.If settings are selected, that will count toward password or MFA attempts.

Back to Top

Configure TOTP MFA for User Accounts - JumpCloud (2024)

FAQs

Configure TOTP MFA for User Accounts - JumpCloud? ›

TOTPs are used for two-factor authentication (2FA) or multi-factor authentication (MFA), layered atop shared-secret based static password authentication. After a user has entered a username and password, they are prompted to input a valid TOTP in an additional login field as proof of possession.

Read On
How do I enable multi factor authentication using TOTP? ›

Enroll users in TOTP MFA
  1. Re-authenticate the user.
  2. Generate a TOTP secret for the authenticated user: ...
  3. Display the secret to the user and prompt them to enter it into their authenticator app: ...
  4. Prompt the user to type the TOTP displayed by their authenticator app and use it to finalize MFA enrollment:

Discover More Details
How do I require MFA for all users in JumpCloud? ›

To enable MFA for all JumpCloud Administrators:
  • Log in to the JumpCloud Admin Portal.
  • Go to Settings > Security.
  • Under Admin Accounts, click the checkbox for Global MFA Requirement. This will enforce MFA for all administrators in the org and any administrators that are added later. ...
  • Click Save.

Continue Reading
How to set up authenticator for JumpCloud? ›

Log in to your JumpCloud User Portal: https://console.jumpcloud.com/login.
  1. Go to Security.
  2. Go to Set Up an Authenticator App.
  3. Choose an authenticator app to set up, such as JumpCloud Protect, and then click Continue.

See Details
How does TOTP MFA work? ›

TOTPs are used for two-factor authentication (2FA) or multi-factor authentication (MFA), layered atop shared-secret based static password authentication. After a user has entered a username and password, they are prompted to input a valid TOTP in an additional login field as proof of possession.

Find Out More
What is MFA or TOTP? ›

Multi-factor authentication (MFA) methods provide protection against replayability. Time-based one-time passwords are generated securely and expire after 30 seconds. The expiration eliminates the TOTP's ability to be used again which, in turn, can help protect your accounts and data.

Tell Me More
How do I disable TOTP MFA in JumpCloud? ›

To disable TOTP MFA for the User Portal:

Log in to the JumpCloud Admin Portal:https://console.jumpcloud.com. Go to Security Management > MFA Configurations. In the TOTP Configuration section, click Disable.

Show Me More
How do I get MFA status for all users? ›

Option 1 Using Microsoft Entra Admin Center
  1. Sign-in to the Microsoft Entra admin center.
  2. Go to All Users residing under Identity»Users and select Per-user MFA. ...
  3. In the list of users, view the multi-factor authentication status field to see the current MFA status for each user.

Explore More
How do you enforce MFA for all users and guests? ›

To enforce MFA, you need to create a Microsoft Entra Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities. A valid external email account that you can add to your tenant directory as a guest user and use to sign in.

Continue Reading
How to check if MFA is enabled for a user? ›

How To Check If MFA Is Enabled In Office 365 For Users?
  1. Sign in to the account and click on 'Admin'.
  2. Click on 'Users'.
  3. Select 'Active Users' and click on the 'Multi Factor Authentication' option at the top of the page.
Jan 23, 2023

Show Me More

Is MFA enforced for the user account? ›

MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.

Read The Full Story
How to setup MFA for service accounts? ›

How to configure an MFA-enabled service account
  1. Log in to portal.azure.com using your Global Administrator credentials.
  2. Click Azure Active Directory under Azure services.
  3. Choose Security from the left pane.
  4. Click MFA under the Manage category in the left pane.
  5. Choose the Additional cloud-based MFA settings option.

See Details
How do I set up my MFA Authenticator? ›

* If you only have a phone, follow the additional 'cannot scan the QR code' instructions below.
  1. Step 1 - Install the Microsoft Authenticator app. ...
  2. Step 2 - Go to your Security info. ...
  3. Step 3 - Add Authenticator app method. ...
  4. Step 4 - Set up the Microsoft Authenticator app. ...
  5. Step 5 - Notifications - iOS only.

Get More Info Here
How do I add an Authenticator to my account? ›

Set up Authenticator
  1. On your Android device, go to your Google Account.
  2. At the top, tap the Security tab. If at first you don't get the Security tab, swipe through all tabs until you find it.
  3. Under "You can add more sign-in options," tap Authenticator. ...
  4. Tap Set up authenticator. ...
  5. Follow the on-screen steps.

Continue Reading
How do I set up two-factor authentication code? ›

Turn on 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “How you sign in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

View More
How do I turn on multi authentication? ›

Turn on MFA for each account or app!
  1. Go to Settings. It may be called Account Settings, Settings & Privacy or similar.
  2. Look for and turn on MFA. It may be called two-factor authentication, two-step authentication or similar.
  3. Confirm. Select which MFA method to use from the options provided by each account or app.

View Details
How do I know if multi-factor authentication is enabled? ›

Option 1 Using Microsoft Entra Admin Center
  1. Sign-in to the Microsoft Entra admin center.
  2. Go to All Users residing under Identity»Users and select Per-user MFA. ...
  3. In the list of users, view the multi-factor authentication status field to see the current MFA status for each user.

See More
Does Microsoft authenticator support TOTP? ›

In this article, we provide simple instructions that you can share with your users for using Authenticator as a time-based one-time password (TOTP) provider. An additional factor in authentication prevents up to 99.9% of identity compromises.

Learn More
Top Articles
How Do Governments Fight Inflation?
Accessibility - Hearing
In the Midst of Depression and Anxiety, There's Hope - Jesus Calling
‘The Chosen’ Creator on Jesus Facing His Future in Season 4 Finale and the ‘Mic-Drop Moments’ Coming in Season 5
Amanda Balionis Bio Wikipedia, Age, Boyfriend (Married Partner) Wedding
Amanda Renner's Husband: Bryn Renner Facts & Photos
Briefly | 10 Mar 2023 | 在 KKBOX 收聽 Podcast
+++ 12:49 ISW: Putin bekräftigt Ziel, Ukraine als Staat zu zerstören +++
A Local Guide: BEST Restaurants in Clearwater Beach | Guided by Destiny
Top 10 Restaurants in St. Petersburg and Clearwater
Syracuse Pets Craigslist
Craigslist Rooms For Rent In Visalia
Latest Posts
Cost of living in Groningen: What to expect
How to Open a Brokerage Account for Your Child
Article information

Author: Rev. Porsche Oberbrunner

Last Updated:

Views: 5975

Rating: 4.2 / 5 (53 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.