The Authentication Type setting on a user controls how that user logs in and authenticates to their Files.com account. Files.com offers several authentication methods to fit different security, migration, and compliance needs. Site administrators configure the authentication type when creating a user and can change it at any time, through the Web UI or through our APIs and SDKs.

When you create a new user and choose Email Signup for the authentication type, a Welcome Email will be sent to the new user with a link for them to create their password.

Once the user has created their password, their authentication type will change to Password. Users listed with Email Signup in the users table indicate those who haven't configured their password yet.

With email signup as an authentication method, users set their own passwords by following your site's password requirements during the signup process. This avoids sending passwords in plain text to your users and supports compliance requirements for the storage and management of user passwords.

Password

With Password as an authentication method, the site administrator specifies the password. Users can change their password at any time by following your site's password requirements.

If Welcome Emails are enabled, Files.com sends an email to newly created users informing them that their account has been created. The email does not contain the user's password unless you have customized your welcome email to include it, which we do not recommend.

Along with the password, users can use API keys or an SFTP/SSH key to log in via SFTP.

When creating a new user with Password as an authentication method, you can optionally force the user to change their password when first signing in. Until they update it, they cannot log in using the original password.

Combination of Password and SFTP/SSH Key (SFTP only)

With Password and SFTP/SSH key (SFTP only) as the authentication method, both a password and an SFTP/SSH key are required to access your site's resources through an SFTP client. Users with this authentication method can access their account only over SFTP.

This dual authentication method is a form of two-factor authentication for SFTP connections, useful when your security policy requires both a key and a password.

Import Hashed Password from Another System

When migrating users to Files.com, you can provide an existing password hash instead of a plaintext password. Files.com auto-detects the algorithm. The imported hash is used only to verify the user's first successful login. After authentication succeeds, Files.com stores the password using the platform's internal PBKDF2/PKCS5 password hashing system.

Supported Formats and Algorithms

Files.com supports two primary methods for importing hashes: Simple Hash-Salt pairs and standard Modular Crypt Format (used by Linux/Unix systems).

Supported hashes are PBKDF2, MD5, SHA1, SHA256, SHA512, and DES.

Provide the crypt string exactly as stored in the source system. Do not attempt to recompute or modify the hash value. Files.com reads the algorithm identifier, salt, and iteration settings directly from the string.

Simple Hash-Salt Pairs

For systems that store a raw hash and a salt separately, provide the values separated by a colon (hash:salt).

Modular Crypt Format (MCF)

Files.com supports the standard "crypt" formats used by most modern Linux distributions (glibc). These are key-derivation functions that use iterative stretching to strengthen the stored hash. Three identifiers are supported:

6: SHA-512, standard glibc crypt format.
5: SHA-256, standard glibc crypt format.
1: MD5, the legacy Apache/Unix MD5-crypt format.

Provide the full string (for example, $6$salt$hash or $6$rounds=5000$salt$hash) directly. Files.com detects the algorithm, salt, and iteration rounds from the string.

None (Use SSH or API Keys)

Users with an authentication type of None cannot authenticate using a password. They can still authenticate with an API key, or with an SFTP/SSH key over SFTP. When you select None as the authentication method, the site administrator must create API keys or SFTP/SSH keys before the user or system can log in. This authentication method is typically used for unattended systems that access your site's resources.

A user created with the None authentication method is not sent a new-user welcome email, because there is nothing for that user to configure on their own. A site administrator follows up by creating API keys or SFTP/SSH keys.

Single Sign On (SSO)

Users log in through SSO using your existing SSO provider. They can also use API keys or an SFTP/SSH key to log in via SFTP.

The only SSO providers that support direct password authentication over FTP, SFTP, and WebDAV are Active Directory and LDAP. With every other SSO provider, the user must set up an API key or SFTP key to use those protocols.

Authentication Using API Keys or SFTP/SSH Keys

Users whose accounts are not disabled can use API keys or SFTP/SSH keys to connect to their Files.com account.

API Keys

Users can connect to your site using API keys if their authentication method is Password (set by the site administrator, user, or imported hash), None (using SSH or API keys), or SSO. If your site settings allow it, users who are not site administrators can create and revoke their own API keys.

API keys are independent of each other. Generating a unique API key for each application or system lets you revoke any one of them without disrupting your other integrations.

Using API Key as the Password

You can also use an API key as the password to sign in to FTP, SFTP, and WebDAV. This is useful for scripts or applications that need to authenticate over these protocols. The user login name is @api-[key-id or API key name], and the password is the API key itself. Using an API key as the password is useful when you want to enforce two-factor authentication (2FA) for FTP, SFTP, and WebDAV users while still letting your scripts or applications sign in without 2FA.

Authentication Methods