Two-factor Authentication (2FA)

---

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It allows your users to enable additional protection for their Files.com account by requiring a combination of two different factors to gain access to their Files.com account. Something they know (e.g. their password), and something they have (usually their smartphone, or hardware 2FA key management device).

2FA is an excellent way to improve your security profile and provide an added layer of protection to your data.

Files.com offers 5 2FA methods from which your users can select for their 2FA protection.

Users may add more than 1 2FA method to their accounts and have multiple active simultaneously.

This is the 2FA method recommended by Files.com for the greatest security. This method does not support FTP/SFTP/DAV. Learn more about Yubikeys.

WebAuthn is compatible with the previous FIDO U2F standard.

This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV. Blue Yubikeys are not supported.

These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV.

This method is considered less secure than the others but still offers greater security than password alone. This method supports FTP/SFTP/DAV.

This includes non-Yubikey hardware keys that support WebAuthn. This method does not support FTP/SFTP/DAV.

WebAuthn is compatible with the previous FIDO U2F standard.

Site administrators may select which 2FA methods are available to their users. All methods are allowed by default, but if your security model doesn't allow SMS, for example, you can deactivate that method. Type "Two-factor authentication methods" in the search box at the top of each page and click on the matching result. Update the checkboxes for the available methods and click Save. Any un-checked methods will not be available.

If Single Sign-On (SSO) is enabled as authentication method for your users, you will not be able to enable 2FA in the Files.com account because 2FA is configured by your SSO provider.

Administrators with a Power or Premier plan have the option to mandate 2FA for their users. The mandate can be applied for all users, or can be limited to administrators only.

Users flagged as a Shared/Bot user are exempt from 2FA mandates.

Before an administrator turns on this setting, they need to have at least one 2FA method set up for their own user. This is a precaution to prevent the administrator from being locked out of the site. Refer to the Setting up 2FA section below for instructions on how to set up a 2FA method.

To enable this requirement you must be an administrator. After adding at least one 2FA method as noted above, type "Two-factor authentication" in the search box at the top of every page, and then click on the matching result.

Here you can select the Required for option, and select whether to make 2FA required for All users, or Site Admins only. You will be required to re-authenticate using your default 2FA method before clicking the Update 2FA Requirements button to apply the change.

From that point forward, the applicable users will be required to set up and verify a 2FA method upon their next login before they are able to proceed using their account.

Removing the 2FA mandate, once it has been enabled, carries a 7 day waiting period as a security measure. After an administrator removes the 2FA requirement, users will not be able to remove their last 2FA method, and new users will still have to enable at least one 2FA method, until seven days have elapsed.

Site administrators can edit individual users to exempt them from the site-side two-factor authentication requirements. Edit the user and select the Authentication tab to find the Require Two-factor authentication setting.

You can allow FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method. To find this setting, type "bypass two-factor" in the search box at the top of each page, then click the matching result for Allow FTP/SFTP/WebDAV users to bypass two-factor authentication. If an Administrator allowed the FTP, SFTP, and WebDAV users to bypass the Two-factor authentication method, those user profiles will include an option to bypass 2FA for FTP/SFTP/WebDAV access when configuring their 2FA method.

If you want to implement 2FA for FTP, SFTP, and WebDAV users but you want to allow your scripts or applications to sign in securely with out 2FA, then you can use an API key as the password to sign in to FTP, SFTP, and WebDAV. This is useful when you have scripts or applications that need to sign in using FTP, SFTP, and WebDAV protocols. In this case, the user login name will be @api-[key-id or API key name] and the password will be the API key content.

Users add 2FA methods when logged in to their own accounts. To add a method, click on your username in the upper right corner of the web interface. In the menu that appears, click on My account.

Select the Two-factor authentication section to reveal the help text, then select Add new two-factor authentication method.

You will be presented with the 2FA options your site administrators have allowed for your site. Click the radio button for the method you would like to add.

Adding a 2FA method to your account requires reauthentication. Enter your password into the reauthentication box if this is the first method you are adding.

If you are adding multiple methods, you will be asked to reauthenticate with one of your active 2FA methods instead of your password.

For this method, you will need to have your authenticator app of choice already installed on your mobile device. Popular choices include Google Authenticator, Duo, and Authy. These are also available and easily found in the app store for your device.

After the step above, you will see a QR code with instructions.

Open your authenticator app and follow its instructions to add new credentials. Most apps offer you a plus sign to tap to add credentials and then offer options to either Scan barcode/QR code OR a Manual entry.

Using the choose the Scan method, on the scanner window on your device, align the guides so that they enclose the QR code displayed on your Files.com site.

As soon as your device recognizes the code, your app will generate your new 2FA credential and show you your 2FA code. This may appear in a list of other credentials if you use your authenticator app for more than one system.

Enter an optional name in the App/device name field so that you can identify which 2FA method and device you are using, then enter the 2FA code displayed on your device in the field labeled Authenticator code and confirm the authenticator code.

Your 2FA method is now added and active.

Each authenticator code has 30-second life span which counts down on your authenticator app. If your code is about to expire in a few seconds, it's best to wait for the next code before entering it into the confirmation field.

Once you have completed the above steps, you will see an animated image directing you to insert your Yubikey into your computer's USB port.

Yubikeys are available in USB-A and USB-C configurations. Be sure to purchase the correct version for your computer.

Enter an optional name for your Yubikey so you can identify it later, and then insert your Yubikey and place your cursor in the Yubikey code field.

Tap the activation button on your Yubikey. The Yubikey will enter the code into the field and will send the enter command all in one operation.

Your 2FA method is now added and active.

Selecting this method reveals the phone number field.

Click the flag to the left of the field if you need to change to a different country where your phone number is based. Remember to reauthenticate with your password (or an existing 2FA method if so directed) before clicking Next.

Files.com will text you a six digit verification code.

Enter that code into the SMS code field, and click the Confirm code button.

Your 2FA method is now added and active.

If a user has added a 2FA method that supports FTP/SFTP/DAV, they can authenticate via these protocols by appending a valid 2FA code to the end of their password when authenticating. If using a Yubikey native 2FA method, you can append the 2FA code by inserting your Yubikey into your computer's USB port and pressing its button immediately after typing your password.

If using the SMS 2FA method, you will need to first initiate a login via the web interface to trigger an SMS code being sent to your phone. Once you get the code on your phone, do not use that code to login via web interface. Instead, use that code code to authenticate via FTP/SFTP/DAV protocols by appending that code to the end of the user's password.

When using SFTP, a SSH/SFTP Key acts as an alternative authentication method, replacing a username and password.

You can implement 2FA for a SSH/SFTP Key by using key types of ecdsa-sk or ed25519-sk.

This implements 2FA at the SSH/SFTP Key itself, outside of Files.com control but supported by Files.com. Whenever these SSH/SFTP Keys are used by a client app, the user will be prompted for a second authentication by their 2FA device. Once authenticated, the SSH/SFTP Key will be allowed to connect to Files.com SFTP.

When using these key types of ecdsa-sk or ed25519-sk to implement 2FA for the SSH/SFTP Key, the 2FA configuration is outside of Files.com control and cannot be reflected in the User settings. A user with this type of SSH/SFTP Key will not show as "2FA Enabled" because it is the Key that has 2FA enabled for it.

If you need to revoke a 2FA method from your own account, you do this from the My Account page on the top right corner. Click on your username in the upper right of the web interface, and click My account from the menu and select_Two-factor authentication_ to reveal your current list of 2FA methods. Similarly, you can also use the Revoke option to remove the 2FA methods.

You will be asked to supply the authenticator code from one of your 2FA methods.

Enter the code (or insert your Yubikey and press its button if authenticating with a Yubikey), and click the Delete button. Your 2FA method will now be revoked.

If you are an administrator and wish to reset/remove all 2FA methods from a particular user account, type "Manage Users" in the search bar at the top of each page and then click the matching result.

Select the username of the user you want to edit. Use the Authentication sub-tab for that user, and then click the Two-factor authentication setting. Select the box for Reset this user's 2FA methods. Note that you will be asked to provide your administrator password prior to clicking on Save.

The user will no longer have any 2FA methods associated with their account.

Users with Yubikey / WebAuthn / U2F / FIDO authentication are tied specifically to the login domain of your site. If you change your site's custom domain settings, every user with this type of 2FA enabled will need to remove their existing 2FA settings and re-configure them. This is baked into the WebAuthn and U2F / FIDO standards requirement for devices to generate site-specific public/private key pairs, which Files.com follows.

If changing your site settings would impact users, you'll see a message similar to this one when you attempt to change the domain:

"If your site has X users using a Yubikey or Webauthn-based two-factor authentication (2FA) method. These methods are tied to the existing domain. If you change your domain, these 2FA methods will be removed and users will be required to re-register these methods."