Two-factor Authentication (2FA)

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their account by requiring a combination of two different factors to gain access to their account:

  1. Something they know (e.g. their password), and
  2. Something they have (usually their smartphone, or hardware 2FA key management device).

2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.

Supported 2FA Methods offers five 2FA methods from which your users can select for their 2FA protection:

  • Yubikey U2F/FIDO (preferred)
    This is the 2FA method recommended by for the greatest security. This method does not support FTP/SFTP/DAV. Learn more about Yubikeys here.

  • Yubikey Native
    This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV. Blue Yubikeys are not supported.

  • Authenticator Apps that use TOTP (time based one-time password)
    These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV.

  • SMS (Text messages)
    This method is considered less secure than the others but still offers greater security than password alone. This method supports FTP/SFTP/DAV.

  • Hardware Key (U2F/FIDO)
    This includes non-Yubikey hardware keys that support U2F/FIDO. This method does not support FTP/SFTP/DAV.

Note: Your users may add more than one 2FA method to their accounts and have multiple active simultaneously.

Mandating 2FA

Administrators with an Enterprise or Enterprise Premier plan have the option to mandate 2FA for their users.

Before an administrator turns on this setting, they have to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site after turning on the requirement!

Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.

To enable this requirement you must be an administrator. After adding at least one 2FA method as noted above, navigate to Settings > Security and click on the Two-factor authentication setting.

You will be required to re-authenticate using your default 2FA method. Once you have completed that step, you can click the Require 2FA From All Users button.

From that point forward, all of your users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.

Important Note

Removing the 2FA mandate, once it has been enabled, carries a seven (7) day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.

Limiting Allowed 2FA Methods

Administrators may select which 2FA methods are available to their users. All methods are selected by default, but if your security model doesn’t allow SMS, for example, de-selecting a method is a matter of navigating to Settings > Security > Two-factor authtentication methods, and un-checking the box next to the method you would like to disable. Don’t forget to click Save!

Setting up 2FA

Users add 2FA methods when logged in to their own accounts. To add a method, click on your username in the upper right corner of the web interface. In the menu that appears, click on My account.

Click on the Two-factor authentication section to reveal the help text, then click the button labeled Add new two-factor authentication method.

You will be presented with the 2FA options your site administrators have allowed for your site. Click the radio button for the method you would like to add.

Adding a 2FA method to your account requires reauthentication. Enter your password into the reauthentication box if this is the first method you are adding, then click Next.

Note If you are adding multiple methods, you will be asked to reauthenticate with one of your active 2FA methods instead of your password.

Setting up 2FA with an Authenticator App

For this method, you will need to have your authenticator app of choice already installed on your mobile device. Popular choices are Google Authenticator, Duo, and Authy. These are also available and easily found in the app store for your device.

After you click the Next button in the step above, you will see a QR code with instructions.

Open your authenticator app and follow its instructions to add new credentials. Most apps offer you a plus sign to tap to add credentials and then two options: 1) Scan barcode/QR code or 2) Manual entry.

Choose the Scan method.

In the scanner window on your device, align the guides so that they enclose the QR code displayed on your site.

As soon as your device recognizes the code, your app will generate your new 2FA credential and show you your 2FA code. This may appear in a list of other credentials if you use your authenticator app for more than one system.

Enter an optional name in the App/device name field so that you can identify which 2FA method and device you are using, then enter the 2FA code displayed on your device in the field labeled Authenticator code and click on Confirm authenticator code.

Your 2FA method is now added and active.

Note that each authenticator code has 30 second life span which counts down on your authenticator app. If your code is about to expire in a few seconds, it’s best to wait for the next code before entering it into the confirmation field.

Setting up 2FA with a Yubikey

After you click the Next button in the step above, you will see an animated image directing you to insert your Yubikey into your computer’s USB port.

Yubikeys are available in USB-A and USB-C configurations. Be sure to purchase the correct version for your computer.

Enter an optional name for your Yubikey so you can identify it later, and then insert your Yubikey and place your cursor in the Yubikey code field.

Tap the activation button on your Yubikey. The Yubikey will enter the code into the field and will send the enter command all in one operation.

Your 2FA method is now added and active.

Setting up 2FA with SMS

Selecting this method reveals the phone number field.

Click the flag to the left of the field if you need to change to a different country where your phone number is based.

Remember to reauthenticate with your password (or an existing 2FA method if so directed) before clicking Next. will text you a six digit verification code.

Enter that code into the SMS code field, and click the Confirm authenticator code button.

Your 2FA method is now added and active.

Authenticating with 2FA via FTP/SFTP/DAV

If a user has added a 2FA method that supports FTP/SFTP/DAV, they can authenticate via these protocols by appending a valid 2FA code to the end of their password when authenticating. If using a Yubikey native 2FA method, you can append the 2FA code by inserting your Yubikey into your computer’s USB port and pressing its button immediately after typing your password.

Note that if using the SMS 2FA method, you will need to first intiate a login via the web interface to trigger an SMS code being sent to your phone.

Revoking a 2FA Method as a User

If you need to revoke a 2FA method from your own account, you can do so by following these steps:

  1. Click on your username in the upper right of the web interface, and click My account from the menu.
  2. Click on Two-factor authentication to reveal your current list of 2FA methods.
  3. Click on the Revoke button next to the method you would like to remove.

You will be asked to supply the authenticator code from one of your other 2FA methods, or your user account password if you are removing your only method.

Resetting User 2FA Methods as an Administrator

If you are an administrator and wish to reset/remove all 2FA methods from a particular user account, you can do so by following these steps:

  1. Navigate to Settings > Users and click on the username of the user.
  2. Click the Two-factor authentication setting.
  3. Check the box for Reset this user’s 2FA methods.
  4. Enter your password in the reauthentication field, and click the Save button.

The user will no longer have any 2FA methods associated with their account.