- Docs
- Security
- Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA)
Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their Files.com account by requiring a combination of two different factors to gain access to their Files.com account. Something they know (e.g. their password), and something they have (usually their smartphone, or hardware 2FA key management device).
2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.
Limiting Allowed 2FA Methods
Site administrators may select which 2FA methods are available to their users. All methods are allowed by default, but if your security model doesn't allow SMS, for example, you can deactivate that method.
2FA and Single Sign-on
If Single Sign-On (SSO) is enabled for your users, you can still configure 2FA requirements within Files.com. In your SSO provider configuration under User Access & Security, you can set how 2FA applies to users provisioned through your identity provider. You can follow the site-wide 2FA policy, always require 2FA, or never require it for your SSO users. This controls whether users signing in through SSO are prompted to set up 2FA in Files.com and applies to users provisioned through SCIM or JIT provisioning. By setting this during SSO provisioning, you can automatically enforce 2FA requirements for your SSO users.
If your organization prefers to enforce 2FA through the identity provider, you can set it up directly within your SSO platform. Most providers support their own 2FA policies, allowing you to require multi-factor authentication before the user reaches Files.com. This setup can be used independently or in combination with 2FA settings configured in Files.com.
Mandating 2FA
Administrators with a Power or Premier plan have the option to mandate 2FA for their users. The mandate can be applied for all users, or can be limited to administrators only.
Users flagged as a Shared/Bot user are exempt from 2FA mandates.
Before an administrator turns on this setting, they need to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site. Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.
You can select whether to make 2FA required for All users, or Site Admins only. Once set, the applicable users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.
Removing the 2FA mandate, once it has been enabled, carries a 7 day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.
Exempting Individual Users From Mandate
Site administrators can configure individual user accounts to exempt them from the site-side two-factor authentication requirements.