Note: JumpCloud Protect® is designed to operate on Android 8 and iOS 13 and higher. It may operate on older versions, but they aren't supported by JumpCloud.
JumpCloud Protect is a mobile app for iOS and Android that can be used for Multi-Factor Authentication (MFA) or 2-step verification. Once the app is downloaded, and the device is enrolled, the app can be used for push notifications or as an authenticator (TOTP).
The app can be downloaded from the iOS App Store or the Google Play Store. After you've downloaded the app and successfully enrolled your device, you can authenticate using Push MFA or Verification (TOTP) Code MFA.
JumpCloud Protect sends a push notification to your enrolled mobile device after you’ve attempted to access a resource with your username and password.
Prerequisite:
- Your Admin has to enable JumpCloud Protect in order for you to download it.
Considerations:
- The JumpCloud Protect app supports iOS version 13 and above, Android 8.0 and above.
- The JumpCloud Protect app may run on a tablet, but isn’t optimized for tablets at this time.
- A user can only be enrolled in JumpCloud Protect on one device.
- Mobile Push is supported for authentication into the User Portal, SAML SSO apps, device logins, and for Password Reset.
- JumpCloud Protect will collect certain diagnostic data for troubleshooting issues and continuous app improvements. No user info is collected. These options are toggled On by default, users can turn off the data collection on the app.
- To do this, tap More > Settings to display options for toggling off Share Diagnostic Data.
Note: This help article provides info for JumpCloud users. For Admins looking to set up the JumpCloud Protect app for their users, see JumpCloud Protect Admin Guide to learn more.
Workflow:
- You'll receive the login request on the lock screen of your device, and can approve/deny with a long press (iOS) or by expanding the notification (Android).
- If your Admin requires biometric authentication, the login request won't complete without it (Face ID, fingerprint, or passcode).
- When you approve the login request, you gain access to your resource. If you tap deny, the login request is declined, which prevents bad actors from accessing your account.
Note: A push notification is valid for 60 seconds before the User Portal gets timed out in which case the user needs to initiate the push notification process again. If the user responds to an expired push notification on the device, an error appears.
You can use JumpCloud to log into the Admin Portal, User Portal, or into your Windows, Mac, or Linux devices.
Protecting Against Push Bombing and MFA Fatigue Attacks
Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally. MFA fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.
To protect yourself against these types of attacks:
- Make sure you're following a strong password policy.
- Enable biometric authentication on your device and ask your Admin to enable it for JumpCloud Protect.
- Verify the app and location info before approving a push request.
Note: JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a 60 second timeout period (the number of maximum concurrent attempts can be changed by an Admin). You can try again after the timeout or after you've approved or denied the initial request.