Two-factor Authentication (2FA)

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their account by requiring a combination of two different factors to gain access to their account. Something they know (e.g. their password), and something they have (usually their smartphone, or hardware 2FA key management device).

2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.

Supported 2FA Methods offers several 2FA methods from which your users can select for their 2FA protection.

Users may add multiple 2FA method to their accounts and have multiple active simultaneously.

Yubikey WebAuthn (preferred)

This is the 2FA method recommended by for the greatest security. This method does not support FTP/SFTP/DAV. Learn more about Yubikeys.

WebAuthn is compatible with the previous FIDO U2F standard.

Yubikey Native

This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV. Blue Yubikeys are not supported.

Authenticator Apps that use TOTP (time based one-time password)

These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV.

SMS (Text messages)

This method is considered less secure than the others but still offers greater security than password alone. This method supports FTP/SFTP/DAV.

Hardware Key (WebAuthn)

This includes non-Yubikey hardware keys that support WebAuthn. This method does not support FTP/SFTP/DAV.

WebAuthn is compatible with the previous FIDO U2F standard.

Email Verification

With this method, the user must supply a code sent to them via email each time they attempt to connect. Just like SMS, receiving a 2FA code with email is less secure than other options, but still better than relying on a password alone. This 2FA method is only recommended when none of the others can be used.

Limiting Allowed 2FA Methods

Site administrators may select which 2FA methods are available to their users. All methods are allowed by default, but if your security model doesn't allow SMS, for example, you can deactivate that method.

2FA and Single Sign-on

If Single Sign-On (SSO) is enabled as the authentication method for your users, you can still enable 2FA in the account, as 2FA configuration with is independent of your SSO provider. You also have the option to enforce or override the site-wide 2FA requirements using SCIM provisioning.

Mandating 2FA

Administrators with a Power or Premier plan have the option to mandate 2FA for their users. The mandate can be applied for all users, or can be limited to administrators only.

Users flagged as a Shared/Bot user are exempt from 2FA mandates.

Before an administrator turns on this setting, they need to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site. Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.

You can select whether to make 2FA required for All users, or Site Admins only. Once set, the applicable users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.

Removing the 2FA mandate, once it has been enabled, carries a 7 day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.

Exempting Individual Users From Mandate

Site administrators can edit individual users to exempt them from the site-side two-factor authentication requirements.

Bypassing 2FA for FTP/SFTP/WebDAV users

You can allow FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method. If an Administrator allows the FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method, those user profiles will include an option to bypass 2FA for FTP/SFTP/WebDAV access when configuring their 2FA method.

The sitewide setting to bypass 2FA must be enabled before a user configures their 2FA method in order for that user to bypass 2FA for FTP/SFTP/WebDAV. 2FA methods cannot be edited by a user; they must be reset by an administrator and set up again by the user. When the sitewide setting to bypass 2FA is enabled, users will see an option for the bypass while setting up their two-factor method.

If you want to implement 2FA for FTP, SFTP, and WebDAV users but you want to allow your scripts or applications to sign in securely with out 2FA, then you can use an API key as the password to sign in to FTP, SFTP, and WebDAV. This is useful when you have scripts or applications that need to sign in using FTP, SFTP, and WebDAV protocols. In this case, the user login name will be @api-[key-id or API key name] and the password will be the API key content.

Setting up 2FA

Users add 2FA methods when logged in to their own accounts.

Adding a 2FA method to your account requires reauthentication. Enter your password into the reauthentication box if this is the first method you are adding.

If you are adding multiple methods, you will be asked to reauthenticate with one of your active 2FA methods instead of your password.

Setting up 2FA with an Authenticator App

For this method, you will need to have your authenticator app of choice already installed on your mobile device. Popular choices include Google Authenticator, Duo, and Authy. These are also available and easily found in the app store for your device.

After the step above, you will see a QR code with instructions.

Open your authenticator app and follow its instructions to add new credentials. Most apps offer you a plus sign to tap to add credentials and then offer options to either Scan barcode/QR code OR a Manual entry.

Using the choose the Scan method, on the scanner window on your device, align the guides so that they enclose the QR code displayed on your site.

As soon as your device recognizes the code, your app will generate your new 2FA credential and show you your 2FA code. This may appear in a list of other credentials if you use your authenticator app for more than one system.

Enter an optional name in the App/device name field so that you can identify which 2FA method and device you are using, then enter the 2FA code displayed on your device in the field labeled Authenticator code and confirm the authenticator code.

Your 2FA method is now added and active.

Each authenticator code has 30-second life span which counts down on your authenticator app. If your code is about to expire in a few seconds, it's best to wait for the next code before entering it into the confirmation field.

Setting up 2FA with a Yubikey

Once you have completed the above steps, you will see an animated image directing you to insert your Yubikey into your computer's USB port.

Yubikeys are available in USB-A and USB-C configurations. Be sure to purchase the correct version for your computer.

Enter an optional name for your Yubikey so you can identify it later, and then insert your Yubikey and place your cursor in the Yubikey code field.

Tap the activation button on your Yubikey. The Yubikey will enter the code into the field and will send the enter command all in one operation.

Your 2FA method is now added and active.

Setting up 2FA with SMS

Selecting this method reveals the phone number field.

Click the flag to the left of the field if you need to change to a different country where your phone number is based. Remember to reauthenticate with your password (or an existing 2FA method if so directed) before clicking Next. will text you a six digit verification code.

Enter that code into the SMS code field, and click the Confirm code button.

Your 2FA method is now added and active.

Authenticating with 2FA via FTP, SFTP, or WebDAV

If a user has added a 2FA method that supports FTP/SFTP/DAV, they can authenticate via these protocols by appending a valid 2FA code to the end of their password when authenticating. If using a Yubikey native 2FA method, you can append the 2FA code by inserting your Yubikey into your computer's USB port and pressing its button immediately after typing your password.

If using the SMS 2FA method, you will need to first initiate a login via the web interface to trigger an SMS code being sent to your phone. Once you get the code on your phone, do not use that code to login via web interface. Instead, use that code code to authenticate via FTP/SFTP/DAV protocols by appending that code to the end of the user's password.

2FA with SSH/SFTP Keys

When using SFTP, a SSH/SFTP Key acts as an alternative authentication method, replacing a username and password.

You can implement 2FA for a SSH/SFTP Key by using key types of ecdsa-sk or ed25519-sk.

This implements 2FA at the SSH/SFTP Key itself, outside of control but supported by Whenever these SSH/SFTP Keys are used by a client app, the user will be prompted for a second authentication by their 2FA device. Once authenticated, the SSH/SFTP Key will be allowed to connect to SFTP.

When using these key types of ecdsa-sk or ed25519-sk to implement 2FA for the SSH/SFTP Key, the 2FA configuration is outside of control and cannot be reflected in the User settings. A user with this type of SSH/SFTP Key will not show as "2FA Enabled" because it is the Key that has 2FA enabled for it.

Revoking a 2FA Method as a User

If you need to revoke a 2FA method from your own account, you do this from the My Account page. You will be asked to supply the authenticator code from one of your 2FA methods..

If your 2FA device/method isn't available, e.g., if you have lost your yubikey, a site administrator will need to revoke the 2FA method for you.

Resetting User 2FA Methods as an Administrator

A site administrator can reset/remove all 2FA methods from a particular user account. You might wish to do this if the 2FA device is lost, for example, and the user needs to configure a new one.

The user will no longer have any 2FA methods associated with their account. If they are required to use 2FA, they will be prompted to create their new 2FA method when they log in.

Custom Domain Changes and 2FA Implications

Users with Yubikey / WebAuthn / U2F / FIDO authentication are tied specifically to the login domain of your site. If you change your site's custom domain settings, every user with this type of 2FA enabled will need to remove their existing 2FA settings and re-configure them. This is baked into the WebAuthn and U2F / FIDO standards requirement for devices to generate site-specific public/private key pairs, which follows.

If changing your site settings would impact users, you'll see a message similar to this one when you attempt to change the domain:

"If your site has X users using a Yubikey or Webauthn-based two-factor authentication (2FA) method. These methods are tied to the existing domain. If you change your domain, these 2FA methods will be removed and users will be required to re-register these methods."

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2024 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern