Two-Factor Authentication
Two-factor authentication (2FA) refers to the two-step verification process that is available in FileCloud and designed to provide an extra layer of security. With this function, in order to access FileCloud, the user is required to know not only the password and username but also an extra security code that is made available to them. The FileCloud administrator can enable two-factor authentication for the user portal, and also, separately, for the admin portal. This can be done regardless of the authentication type (default, AD, or LDAP).
FileCloud supports the following modes to deliver 2FA codes:
- Google Authenticator TOTP Code
- DUO Security (user portal only)
- SMS OTP Security Code
Two-factor authentication using user's email address
The general flow is shown below
Two-factor authentication using TOTP (Google Authenticator or similar TOTP code generators)
These instructions are written using Google Authenticator as an example TOTP code generator, however, any TOTP apps such as Microsoft Authenticator or DUO mobile app, etc. can be used.
To set up 2FA with Google Authenticator:
- In the FileCloud user portal, choose TOTP (Authenticator App) when configuring 2FA for the user portal. See Two-Factor Authentication for User Portal for help.
- In the FileCloud admin portal, choose TOTP Authentication when configuring 2FA for the admin portal. See Two-Factor Authentication for Admin Portal for help
When a user logs in for the first time, they are provided with an option to set up Google Authenticator. This involves entering a code or scanning a QR Code into the the Google Authenticator client. See Log in Using Two-Factor Authentication for more information.
Note that once Google Authenticator is set up using the user portal, other client devices can be used to connect to the FileCloud account.
Once 2FA with Google Authenticator is set up for the first time, the user is no longer able to set it up again. Only the Administrator can clear the Google Authenticator setup.
The general flow is shown below
Two-factor authentication using SMS OTP (one-time password) Security Codes
FileCloud can be set up to use SMS security codes to perform 2FA. Currently, we have implemented Twilio as the default SMS Gateway Provider, although enterprise customers may add custom SMS providers and handlers to the system. In order to successfully use SMS security, admins must set up a Twilio account to receive the required security ID, authentication token and the phone number from which the codes will be sent.
- Create a Twilio account.
Follow instructions at https://www.twilio.com/docs/sms to obtain the required SID, Auth Token and create a phone number. - In the FileCloud admin portal, open the 2FA settings page.
- In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click Misc
. - In the inner navigation bar on the left of the Settings page, expand the Misc menu, and click 2FA, as shown below.
The 2FA settings page opens.
- In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click Misc
- Fill in the 2FA settings.
The settings 2FA code length and 2FA code character format (2FA Code Dictionary) are available beginning in FileCloud version 20.2.
2FA code length - The number of letters and digits in the 2FA code. Default is 4.
2FA code character format- Type of characters permitted in 2FA code. Options are:
- Numbers and letters (default)
- Numbers
- Letters
- Uppercase letters
SMS 2FA code expiration in minutes - How long, in minutes, the security code remains valid. Default is 10.
Case-sensitive 2FA code comparison - When checked, the code entered is case-sensitive.
Allowed resend attempts - Number of times the user may resend the code before logging in is timed out for the time set in 2FA Code Resend Timeout.. Default is 5.
2FA Code Resend Timeout - Number of seconds between Allowed resend attempts that the user must wait before attempting to resend again. Default is 30.
For example, if Allowed resend attempts is 5, and 2FA Code Resend Timeout is 30, a user can attempt to resend a code 5 times and then is forced to wait 30 seconds before being able to attempt to resend the code another 5 times. If those attempts fail, the user is forced to wait another 30 seconds, and so on.
Test SMS gateway configuration - Enter a secure known phone number, and save the settings. Click Test SMS to check if your SMS configuration is valid.
SMS admin SID - SID of gateway provider.
SMS admin token - Token of gateway provider.
SMS admin sending phone number - Phone number from which SMS code is sent to user.
Once the setup is complete, set up the policy for users and choose the appropriate SMS gateway provider, similarly to other 2FA methods.
Users are required to set up a phone number once the SMS 2FA Policy is enabled. Once the phone number is set up, client devices can be used to connect to the FileCloud account. Set up the phone number via the web UI or through your admin.
If users are required to use SMS with 2FA, they will see the following dialog box during login after the policy is enabled:
Two factor authentication validity for Email based 2FA
2FA Code validity: 10 minutes.
For Web Apps, The 2FA validity period is tied to the Session Timeout
For Client apps (iOS , Android App, Drive and Sync) the 2FA code will be required only on very first access and subsequent access will not require the code. If the record of that device is removed using "Remove Client Device Record" action, then subsequent access for that mobile device will require the 2FA code.
For instructions specific to the admin portal or the user portal, see: