Two-factor Authentication (2FA)

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their account by requiring a combination of two different factors to gain access to their account:

  1. Something they know (e.g. their password), and
  2. Something they have (usually their smartphone, or hardware 2FA key management device).

2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.

Supported 2FA Methods offers five 2FA methods from which your users can select for their 2FA protection.

Users may add more than one 2FA method to their accounts and have multiple active simultaneously.

Yubikey U2F/FIDO (preferred)

This is the 2FA method recommended by for the greatest security. This method does not support FTP/SFTP/DAV. Learn more about Yubikeys here.

Yubikey Native

This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV. Blue Yubikeys are not supported.

Authenticator Apps that use TOTP (time based one-time password)

These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV.

SMS (Text messages)

This method is considered less secure than the others but still offers greater security than password alone. This method supports FTP/SFTP/DAV.

Hardware Key (U2F/FIDO)

This includes non-Yubikey hardware keys that support U2F/FIDO. This method does not support FTP/SFTP/DAV.

Limiting Allowed 2FA Methods

Administrators may select which 2FA methods are available to their users. All methods are allowed by default, but if your security model doesn't allow SMS, for example, de-selecting a method is a matter of navigating to Settings > Users > User Settings > Two-factor authentication methods, and un-checking the box next to the method you would like to disable. Don't forget to click Save!

2FA and Single Sign-on

If Single Sign-On (SSO) is enabled as authentication method for your users, you will not be able to enable 2FA in account because 2FA is configured by your SSO provider in this case.

Mandating 2FA

Administrators with a Power or Premier plan have the option to mandate 2FA for their users. The mandate can be applied for all users, or can be limited to administrators only.

Users flagged as a Shared/Bot user are exempt from 2FA mandates.

Before an administrator turns on this setting, they need to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site after turning on the requirement! Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.

To enable this requirement you must be an administrator. After adding at least one 2FA method as noted above, navigate to Settings > Users > User Settings and click on the Two-factor authentication setting.

Here you can select the Required for option, and select whether to make 2FA required for All users, or Site Admins only. You will be required to re-authenticate using your default 2FA method before clicking the Update 2FA Requirements button to apply the change.

From that point forward, the applicable users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.

Removing the 2FA mandate, once it has been enabled, carries a seven (7) day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.

Exempting Individual Users From Mandate

You can exempt individual users via the Require Two-factor authentication setting found at Settings > Users > [username] > Authentication.

Bypassing 2FA for FTP/SFTP/WebDAV users

You can allow FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method. You can update these settings at Settings > Users > User Settings > Allow FTP/SFTP/WebDAV users to bypass two-factor authentication. If an Administrator allowed the FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method, those user profiles will include an option to bypass 2FA for FTP/SFTP/WebDAV access when configuring their 2FA method.

If you want to implement 2FA for FTP, SFTP, and WebDAV users but you want to allow your scripts or applications to sign in securely with out 2FA, then you can use an API key as the password to sign in to FTP, SFTP, and WebDAV. This is useful when you have scripts or applications that need to sign in using FTP, SFTP, and WebDAV protocols. In this case, the user login name will be @api-[key-id or API key name] and the password will be the API key content.

Setting up 2FA

Users add 2FA methods when logged in to their own accounts. To add a method, click on your username in the upper right corner of the web interface. In the menu that appears, click on My account.

Click on the Two-factor authentication section to reveal the help text, then click the button labeled Add new two-factor authentication method.

You will be presented with the 2FA options your site administrators have allowed for your site. Click the radio button for the method you would like to add.

Adding a 2FA method to your account requires reauthentication. Enter your password into the reauthentication box if this is the first method you are adding, then click Next.

Note: If you are adding multiple methods, you will be asked to reauthenticate with one of your active 2FA methods instead of your password.

Setting up 2FA with an Authenticator App

For this method, you will need to have your authenticator app of choice already installed on your mobile device. Popular choices include Google Authenticator, Duo, and Authy. These are also available and easily found in the app store for your device.

After you click the Next button in the step above, you will see a QR code with instructions.

Open your authenticator app and follow its instructions to add new credentials. Most apps offer you a plus sign to tap to add credentials and then two options: 1) Scan barcode/QR code or 2) Manual entry.

Choose the Scan method.

In the scanner window on your device, align the guides so that they enclose the QR code displayed on your site.

As soon as your device recognizes the code, your app will generate your new 2FA credential and show you your 2FA code. This may appear in a list of other credentials if you use your authenticator app for more than one system.

Enter an optional name in the App/device name field so that you can identify which 2FA method and device you are using, then enter the 2FA code displayed on your device in the field labeled Authenticator code and click on Confirm authenticator code.

Your 2FA method is now added and active.

Note: Each authenticator code has 30-second life span which counts down on your authenticator app. If your code is about to expire in a few seconds, it's best to wait for the next code before entering it into the confirmation field.

Setting up 2FA with a Yubikey

After you click the Next button in the step above, you will see an animated image directing you to insert your Yubikey into your computer's USB port.

Yubikeys are available in USB-A and USB-C configurations. Be sure to purchase the correct version for your computer.

Enter an optional name for your Yubikey so you can identify it later, and then insert your Yubikey and place your cursor in the Yubikey code field.

Tap the activation button on your Yubikey. The Yubikey will enter the code into the field and will send the enter command all in one operation.

Your 2FA method is now added and active.

Setting up 2FA with SMS

Selecting this method reveals the phone number field.

Click the flag to the left of the field if you need to change to a different country where your phone number is based. Remember to reauthenticate with your password (or an existing 2FA method if so directed) before clicking Next. will text you a six digit verification code.

Enter that code into the SMS code field, and click the Confirm code button.

Your 2FA method is now added and active.

Authenticating with 2FA via FTP, SFTP, or WebDAV

If a user has added a 2FA method that supports FTP/SFTP/DAV, they can authenticate via these protocols by appending a valid 2FA code to the end of their password when authenticating. If using a Yubikey native 2FA method, you can append the 2FA code by inserting your Yubikey into your computer's USB port and pressing its button immediately after typing your password.

If using the SMS 2FA method, you will need to first initiate a login via the web interface to trigger an SMS code being sent to your phone. Once you get the code on your phone, do not use that code to login via web interface. Instead, use that code code to authenticate via FTP/SFTP/DAV protocols by appending that code to the end of the user's password.

Revoking a 2FA Method as a User

If you need to revoke a 2FA method from your own account, you can do so by following these steps:

  1. Click on your username in the upper right of the web interface, and click My account from the menu.
  2. Click on Two-factor authentication to reveal your current list of 2FA methods.
  3. Click on the Revoke button next to the method you would like to remove.

You will be asked to supply the authenticator code from one of your 2FA methods.

Enter the code (or insert your Yubikey and press its button if authenticating with a Yubikey), and click the Delete button.

Your 2FA method is now revoked.

Resetting User 2FA Methods as an Administrator

If you are an administrator and wish to reset/remove all 2FA methods from a particular user account, you can do so by following these steps:

  1. Navigate to Settings > Users and click on the username of the user.
  2. Click the user's Authentication sub-tab, and then click the Two-factor authentication setting.
  3. Check the box for Reset this user's 2FA methods.
  4. Enter your administrator password in the reauthentication field, and click the Save button.

The user will no longer have any 2FA methods associated with their account.

I Changed My Custom Domain, And Users with Yubikey / U2F / FIDO Authentication Were Reset!

These types of two-factor authentication are tied specifically to the login domain of your site. If you change your site's custom domain settings, every user with this type of 2FA enabled will need to remove their existing 2FA settings and re-configure them. This is baked into the U2F / FIDO standards requirement for devices to generate site-specific public/private key pairs, which follows.

If changing your site settings would impact users, you'll see a message similar to this one when you attempt to change the domain:

Your site has X users using a Yubikey or Webauthn-based two-factor authentication (2FA) method. These methods are tied to the existing domain. As part of a domain change, these 2FA methods will be removed and users will be required to re-register these methods.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2023 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern