Skip to main content
Security & Compliance

Authentication & Access Configuration

Files.com gives customers the controls they need to align user authentication and access with their own security policies: authentication methods, password policies, IP and location restrictions, session timeouts, and two-factor authentication (2FA/MFA). These controls are reviewed annually as part of our SOC 2 Type II audit.

User Passwords and Authentication

Customer-managed users authenticate with username and password credentials. Passwords are stored in a salted and encrypted format using PBKDF2 with SHA-512, and cannot be viewed or exported in any form (hashed or unhashed).

Customers can define password requirements, including:

  • Minimum length and complexity
  • Change intervals and expiration
  • Forced resets on next login

A password strength meter aligned with the NIST SP 800-63B standard guides secure password creation.

Files.com supports password import in hashed formats such as raw MD5, SHA-1, or SHA-2. On first use, these are converted to our internal format.

API access is authenticated using access keys rather than passwords.

Idle Timeout and Session Management

By default, web sessions time out after 6 hours of inactivity. Customers can adjust this value using the session expiration setting.

Restricting Access by IP or Location

Customers can restrict account access based on IP address or country, either per-user or site-wide. Files.com also publishes a list of outbound IP addresses used for services such as webhooks and LDAP, which customers can allowlist on their own networks.

Two-Factor and Multi-Factor Authentication (2FA/MFA) Configuration

Files.com supports multiple 2FA/MFA options on all plan levels, including SMS codes, Yubikey and U2F devices, and authenticator apps like Google Authenticator.

Customers on Power, Premier, and Enterprise plans can enforce 2FA/MFA requirements across all users. Files.com also integrates with external identity providers (Okta, Azure AD, OneLogin, and others) that can enforce 2FA policies as part of their authentication flow.