Two-factor Authentication (2FA)

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their account by requiring a combination of two different factors to gain access to their account:

  1. Something they know (e.g. their password), and
  2. Something they have (usually their smartphone, or hardware 2FA key management device).

2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.

Supported 2FA Methods offers five 2FA methods from which your users can select for their 2FA protection.

Users may add more than one 2FA method to their accounts and have multiple active simultaneously.

Yubikey U2F/FIDO (preferred)

This is the 2FA method recommended by for the greatest security. This method does not support FTP/SFTP/DAV. Learn more about Yubikeys here.

Yubikey Native

This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV. Blue Yubikeys are not supported.

Authenticator Apps that use TOTP (time based one-time password)

These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV.

SMS (Text messages)

This method is considered less secure than the others but still offers greater security than password alone. This method supports FTP/SFTP/DAV.

Hardware Key (U2F/FIDO)

This includes non-Yubikey hardware keys that support U2F/FIDO. This method does not support FTP/SFTP/DAV.

Limiting Allowed 2FA Methods

Administrators may select which 2FA methods are available to their users. All methods are allowed by default, but if your security model doesn't allow SMS, for example, de-selecting a method is a matter of navigating to Settings > Authentication > Two-factor authentication methods, and un-checking the box next to the method you would like to disable. Don't forget to click Save!

Mandating 2FA

Administrators with a Power or Premier plan have the option to mandate 2FA for their users. The mandate can be applied for all users, or can be limited to administrators only.

Users flagged as a Shared/Bot user are exempt from 2FA mandates.

Before an administrator turns on this setting, they need to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site after turning on the requirement! Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.

To enable this requirement you must be an administrator. After adding at least one 2FA method as noted above, navigate to Settings > Authentication and click on the Two-factor authentication setting.

Here you can select the Required for option, and select whether to make 2FA required for All users, or Site Admins only. You will be required to re-authenticate using your default 2FA method before clicking the Update 2FA Requirements button to apply the change.

From that point forward, the applicable users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.

Removing the 2FA mandate, once it has been enabled, carries a seven (7) day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.

Exempting Individual Users From Mandate

You can exempt individual users via the Require Two-factor authentication setting found at Settings > Users > [username] > Authentication.

Setting up 2FA

Users add 2FA methods when logged in to their own accounts. To add a method, click on your username in the upper right corner of the web interface. In the menu that appears, click on My account.

Click on the Two-factor authentication section to reveal the help text, then click the button labeled Add new two-factor authentication method.

You will be presented with the 2FA options your site administrators have allowed for your site. Click the radio button for the method you would like to add.

Adding a 2FA method to your account requires reauthentication. Enter your password into the reauthentication box if this is the first method you are adding, then click Next.

Note: If you are adding multiple methods, you will be asked to reauthenticate with one of your active 2FA methods instead of your password.

Setting up 2FA with an Authenticator App

For this method, you will need to have your authenticator app of choice already installed on your mobile device. Popular choices include Google Authenticator, Duo, and Authy. These are also available and easily found in the app store for your device.

After you click the Next button in the step above, you will see a QR code with instructions.

Open your authenticator app and follow its instructions to add new credentials. Most apps offer you a plus sign to tap to add credentials and then two options: 1) Scan barcode/QR code or 2) Manual entry.

Choose the Scan method.

In the scanner window on your device, align the guides so that they enclose the QR code displayed on your site.

As soon as your device recognizes the code, your app will generate your new 2FA credential and show you your 2FA code. This may appear in a list of other credentials if you use your authenticator app for more than one system.

Enter an optional name in the App/device name field so that you can identify which 2FA method and device you are using, then enter the 2FA code displayed on your device in the field labeled Authenticator code and click on Confirm authenticator code.

Your 2FA method is now added and active.

Note: Each authenticator code has 30-second life span which counts down on your authenticator app. If your code is about to expire in a few seconds, it's best to wait for the next code before entering it into the confirmation field.

Setting up 2FA with a Yubikey

After you click the Next button in the step above, you will see an animated image directing you to insert your Yubikey into your computer's USB port.

Yubikeys are available in USB-A and USB-C configurations. Be sure to purchase the correct version for your computer.

Enter an optional name for your Yubikey so you can identify it later, and then insert your Yubikey and place your cursor in the Yubikey code field.

Tap the activation button on your Yubikey. The Yubikey will enter the code into the field and will send the enter command all in one operation.

Your 2FA method is now added and active.

Setting up 2FA with SMS

Selecting this method reveals the phone number field.

Click the flag to the left of the field if you need to change to a different country where your phone number is based. Remember to reauthenticate with your password (or an existing 2FA method if so directed) before clicking Next. will text you a six digit verification code.

Enter that code into the SMS code field, and click the Confirm authenticator code button.

Your 2FA method is now added and active.

Authenticating with 2FA via FTP, SFTP, or WebDAV

If a user has added a 2FA method that supports FTP/SFTP/DAV, they can authenticate via these protocols by appending a valid 2FA code to the end of their password when authenticating. If using a Yubikey native 2FA method, you can append the 2FA code by inserting your Yubikey into your computer's USB port and pressing its button immediately after typing your password.

If using the SMS 2FA method, you will need to first initiate a login via the web interface to trigger an SMS code being sent to your phone.

Revoking a 2FA Method as a User

If you need to revoke a 2FA method from your own account, you can do so by following these steps:

  1. Click on your username in the upper right of the web interface, and click My account from the menu.

  2. Click on Two-factor authentication to reveal your current list of 2FA methods.

  3. Click on the Revoke button next to the method you would like to remove.

You will be asked to supply the authenticator code from one of your 2FA methods.

Enter the code (or insert your Yubikey and press its button if authenticating with a Yubikey), and click the Delete button.

Your 2FA method is now revoked.

Resetting User 2FA Methods as an Administrator

If you are an administrator and wish to reset/remove all 2FA methods from a particular user account, you can do so by following these steps:

  1. Navigate to Settings > Users and click on the username of the user.

  2. Click the user's Authentication sub-tab, and then click the Two-factor authentication setting.

  3. Check the box for Reset this user's 2FA methods.

  4. Enter your administrator password in the reauthentication field, and click the Save button.

The user will no longer have any 2FA methods associated with their account.

Get Instant Access to and Start Collaborating and Automating

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, fill out the short form on the next page, get your account activated instantly, and start setting up your Files and Workflows immediately.

Start My Free Trial