Skip to main content
Documentation

Supported 2FA Methods

Files.com offers several 2FA methods from which your users can select for their 2FA protection.

Users may add multiple 2FA method to their accounts and have multiple active simultaneously.

Files.com recommends hardware security keys and authenticator apps as the primary 2FA methods. Use SMS and email only as fallback options.

Hardware Security Keys

A hardware security key is a physical device, usually a small USB token. Files.com supports the following hardware security key authentication methods.

Yubikey WebAuthn (Preferred)

This is the 2FA method recommended by Files.com for the greatest security. This method does not support FTP/SFTP/DAV connections. Learn more about YubikeysExternal LinkThis link leads to an external website and will open in a new tab.

WebAuthn is compatible with the previous FIDO U2F standard.

Yubikey Native

This method uses the OTP (One-time Password) feature of your Yubikey. This method supports FTP/SFTP/DAV connections. Blue Yubikeys are not supported.

Hardware Key (WebAuthn)

This includes non-Yubikey hardware keys that support WebAuthn. This method does not support FTP/SFTP/DAV connections.

Authenticator Apps That Use TOTP (Time-Based One-Time Password)

These include apps such as Google Authenticator, Duo, and Authy. Authenticator apps are typically installed and used on mobile devices. This method supports FTP/SFTP/DAV connections.

SMS (Text Messages)

SMS-based 2FA is less secure than hardware security keys and authenticator apps, but still safer than a password alone.

With this method, Files.com sends a one-time code by SMS to the phone number configured for the user's 2FA each time they attempt to log in.

Each code is valid for 10 minutes and can only be used once. After a code is used or expires, it becomes invalid. At the next login attempt, Files.com automatically sends a new code by SMS.

SMS depends on phone carriers and third-party delivery networks. That makes it more exposed to interception, SIM swap attacks, and phone-number reassignment issues than device-based methods.

SMS is also less reliable. Delivery can be delayed or blocked by carrier issues, roaming issues, or regional outages. Because one-time codes are time-sensitive, delays can prevent successful login.

Use SMS only when a hardware security key or authenticator app is not practical. This method supports FTP/SFTP/DAV connections.

Email Verification

Email-based 2FA is less secure than hardware security keys and authenticator apps, but still safer than using a password alone.

With this method, the user enters a code that Files.com sends by email each time they attempt to log in.

Each code is valid for 10 minutes and can only be used once. After a code is used or expires, it becomes invalid. At the next login attempt, Files.com automatically sends a new code by email.

A user can log in with an unused code within its 5 minute validity window. After five minutes, the code expires. All login attempts that are made within the 5 minute duration of an unused code will expect that code. Once used, the code cannot be used again. After 5 minutes, the next login attempt will cause a new code to be emailed to the user.

Email is weaker because it depends on the security of the user’s mailbox. If an attacker can access the email account, they may also receive the verification code.

Email delivery can be delayed by spam filtering, mail routing issues, provider outages, or local mail server policies. Because each code is short-lived, delayed delivery can make the code unusable before it arrives.

This method does not support FTP/SFTP/DAV connections.

Use email verification only if you cannot use a hardware security key, Yubikey, or authenticator app.

Changes to Supported 2FA Methods

When a Site Administrator updates the list of supported 2FA methods and disables a previously allowed method, users who are currently using that method can still complete their next login with it. After signing in, they will be required to configure at least one 2FA method from the remaining supported methods. The disabled method will no longer be available for future use. Users who already have another supported 2FA method configured can continue signing in with that method without interruption.

When a site administrator enables an additional 2FA method, existing users are not affected. They can continue signing in with their current 2FA methods, and the newly supported method becomes available in their profile settings for optional setup.