Page tree
Skip to end of metadata
Go to start of metadata

Two Factor Authentication (2FA) refers to the "Two step verification" process that is available in FileCloud v9.0 onwards and designed to provide an extra layer of security.

With this function, in order to access FileCloud servers, the user requires to know not only the password and username but also an extra security code that is made available to them. 


Two Factor Authentication to access User Portal

FileCloud administrator can enable Two Factor Authentication to access user portal. This can be done regardless of the authentication type (AD or LDAP etc).  


FileCloud support the following modes to deliver 2FA code

  1. Deliver code using user's registered email
  2. Google Authenticator TOTP Code
  3. DUO Security
  4. SMS OTP Security Code

Two Factor Authentication into user portal using user's registered email address

The general flow is shown below


Two Factor Authentication into user portal using TOTP (Google Authenticator or similar TOTP code generators)


These instructions are written with using Google Authenticator as an example TOTP code generator, however, ANY TOTP apps such as Microsoft Authenticator, DUO mobile app etc can be used.

With FileCloud v12.0 onwards, users can also log into the user portal using their credentials and Google Authenticator TOTP code. The Google Authenticator mobile clients are available for free on the mobile appstores.

The user will be required to setup the Google Authenticator once and then subsequently will need to provide the code generated by the Google Authenticator application in  order to login.

When user logs in for the first time, the user will be provided with an option to set up Google Authenticator. This involves entering a code or scanning a QRCode into the the Google Authenticator client. Once it is set up for the first time the user will no longer be able to set it up again. Only the Administrator can clear the Google Authenticator setup.

User will be required to use web browser to log in and setup the Google Authenticator . Once the Google Authenticator is set up, other client devices can be used to connect to the FileCloud account.


Instead of Google Authenticator app, Microsoft or Duo Security apps can also be used to manage the TOTP code


The general flow is shown below



Two Factor Authentication using DUO Security

As of v17.3, FileCloud can be setup to use DUO security service to perform 2FA. Note that DUO PUSH is not supported and requires code generated by DUO Mobile app to be entered to perform 2FA.
The following steps are required to setup 2FA using DUO


 1: ADD DUO Auth API
  • Follow instructions at https://duo.com/docs/authapi to get integration keysecret key, and API hostname
  • Enter the information Admin Portal→ Settings→ Misc→Duo Security Tab under Auth API Security Settings and save 


 2.  ADD DUO Admin API

  • Follow instructions at https://duo.com/docs/adminapi to get integration keysecret key, and API hostname
  • Ensure it has "Grant read resource" permission
  • Enter the information Admin Portal → Settings→ Misc→Duo Security Tab under Admin API Security Settings  and save 



3. Open the Policies tab and select the policy (Select the Global policy if 2FA needs to be default )

4. Open the 2FA tab of the Policy

5. Select "YES" for Enable Two Factor Authentication

6. Select "DUO Security" for Two Factor Authentication Mechanism and save the policy






Two Factor Authentication using SMS OTP (one-time password) Security Codes


As of v19.2, FileCloud can be setup to use SMS security codes to perform 2FA. Currently, we have implemented Twilio as the default SMS Gateway Provider, although enterprise customers may add custom SMS providers and handlers to the system. In order to successfully use SMS security, admins must set up a Twilio account to receive the required security ID, authentication token and the phone number from which the codes will be sent.  

  1. Create a Twilio account
    Follow instructions at https://www.twilio.com/docs/sms to obtain the required SID, Auth Token and create a phone number.
  2. Enter the information Settings > Misc >Two FA.

    The settings 2FA Code Length and 2FA Code Directory are available beginning in FileCloud version 20.2.


    2FA Code Length
    - The number of letters and digits in the 2FA code. Default is 4. 

    2FA Code Dictionary- Type of characters permitted in 2FA code. Options are:

    • Numbers and letters (default)
    • Numbers
    • Letters
    • Uppercase letters

    SMS 2FA Code Expiration in Minutes - How long, in minutes, the security code remains valid. Default is 10.

    Case-sensitive 2FA Code Comparison - When checked, the code entered is case-sensitve.

    Allowed Resend Attempts -  Number of times the user may resend the code before logging in is timed out for the time set in 2FA Code Resend Timeout.. Default is 5.

    2FA Code Resend Timeout - Number of seconds between Allowed Resend Attempts that the user must wait before attempting to resend again. Default is 30.
    For example, if Allowed Resend Attempts is 5, and 2FA Code Resend Timeout is 30, a user can attempt to resend a code 5 times and then is forced to wait 30 seconds before being able to attempt to resend the code another 5 times. If those attempts fail, the user is forced to wait another 30 seconds, and so on. 

    SMS Admin SID Security Settings - SID of gateway provider.

    SMS Admin Token - Token of gateway provider.

    SMS Admin Sending Phone Number - Phone number from which SMS code is sent to user.

Once the setup is complete, set up the policy for users and choose the appropriate SMS gateway provider, similarly to other 2FA methods.


Users are required to set up a phone number once the SMS 2FA Policy is enabled. Once the phone number is set up, client devices can be used to connect to the FileCloud account. Set up the phone number via the web UI or through your admin.


If users are required to use SMS with 2FA, they will see the following dialog box during login after the policy is enabled:

Enable Two Factor Authentication using SMS OTP Security Codes for specific user agents

Starting with Version 19.3, FileCloud supports configuring two factor authentication using SMS OTP for specific user agents. For example, you could apply this configuration to mobile clients only, or to FileCloud Drive, FileCloud Sync, and Microsoft Outlook only.

  1. Complete the instructions above in Two Factor Authentication using SMS OTP Security Codes
  2. Open cloudconfig.php at

    • Windows: XAMPP DIRECTORY/htdocs/config/cloudconfig.php

    • Linux: /var/www/config/cloudconfig.php

  3. Add the following: 

    define("TONIDOCLOUD_TWOFA_REQUIRED_USERAGENT_LIST", "useragent1,useragent2, ... ");
  4. Replace the useragent values with any number of user agents from the following list:

    • Web browser

    • Android

    • iOS

    • MS Outlook

    • MS Office

    • MS Office Online

    • Cloud Sync

    • Starting with Version 19.3 of FileCloud use: FileCloud Drive
      Prior to Version 19.3 of FileCloud use: 
         FileCloudDrive or FileCloudDrive2
         FileCloud MacDrive or FileCloud MacDrive2

    • Any white labelled FileCloud Sync/Drive product name


For example:
define("TONIDOCLOUD_TWOFA_REQUIRED_USERAGENT_LIST", "Android,iOS");

Enable Two Factor Authentication for User Portal (Global setting)

Administrator can enable Two Factor Authentication using the following steps

  1. Log into the Administrator Portal
  2. Navigate to "Settings"
  3. Select Polices Tab
  4. Under 2FA heading, Change the Enable Two Factor Authentication drop down box to Enabled
  5. In Two Factor Authentication Mechanism choose Email, Google Authenticator, DUO Security or SMS Security.
  6. If you choose SMS Security and users are permitted to create accounts, add the following setting that enables users to add a phone number when creating a share with an external user:
    1. Open the configuration file:
      Windows: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
      Linux: /var/www/config/cloudconfig.php
    2. Add the line:

      define ("TONIDOCLOUD_ENABLE_2FA_SMS_SHARE_INVITES", TRUE);

Enable or Override Two Factor Authentication for specific user 

Administrator can enable Two Factor Authentication using the following steps

  1. Log into the Administrator Portal
  2. Navigate to "Users" and Edit the user 
  3. Select "Manage Policy" Tab
  4. Select the Effective  Policy associated with the user 
    1. Note that the policy could be a common policy (Could be global or group or additional users could be associated with a policy)
  5. Open the effective policy and navigate to 2 Factor Authentication 
  6. Under "2 Factor Authentication" heading, Change the setting as needed (Global policy will use the current global setting value and is the default)



Reset TOTP or DUO settings  for a user

When a user loses TOTP (Google Auth) app enabled device or if they need to reset the code for any reason, The Admin can reset the Google Authenticator setup for that user using the following steps

  1. Login into the Admin portal
  2. Navigate to "Users" and Edit the user 
  3. Open the policy associated with the user by selecting the "Policies" button
  4. Select "Manage Policy" Tab
  5. Under "2 Factor Authentication" heading, Tap the "Reset" button for "Reset Google Authenticator Secret" option


Once the secret is reset, the user will be required to redo the 2FA setup on first login via browser if needed. 


Two factor authentication validity for Email based 2FA 


2FA Code validity: 10 minutes . This can be changed by adding a key with a different timeout as shown (This key can be added <WEBROOT>/config/cloudconfig.php).

define ("TONIDOCLOUD_2FA_EMAIL_EXPIRATION_MINUTES", "5");

For Web Apps, The 2FA validity period is tied to the Session Timeout

For Client apps (iOS , Android App, Drive and Sync) the 2FA code will be required only on very first access and subsequent access will not require the code. If the record of that device is removed using "Remove Client Device Record" action, then subsequent access for that mobile device will require the 2FA code.


Two Factor Authentication for Admin Portal

From v12 onwards, support for two factor authentication is available for Admin portal. Both site admin and super admin (for multi tenancy control panel) can be set to require additional code in order to access.

Two factor authentication for Admin supports only Email based 2FA. The code will be delivered to the email associated with the account.


Since 19.2, the way admins set up 2FA has changed - the admin can now select code sendout methods using a drop down (Email or SMS). In order to upgrade without hassle, it is advised to disable admin 2FA before upgrading, and set it up again.


The flow is same as user 2FA flow as shown below


Enable Two Factor Authentication for Site Admin

A site admin is the admin account to log into the Administrator portal of a specific site. To enable 2FA for the first time, please follow the steps

  1. Log into Admin portal
  2. Navigate to "Settings"
  3. Select "Admin" Tab
  4. Check Enable Two Factor Authentication for Admin Logins.


    2FA fields appear.
  5. To use SMS authentication, In Select 2FA Delivery Method for Admin, choose SMS Authentication.
    Additional fields appear.

    1. In Set Admin 2FA Code Timeout, set the time in minutes that you want the temporary log-in code to remain valid.
    2. In SMS Service Provider, choose Twilio or Custom.
    3. In Master Admin Phone Number, enter the admin's SMS phone number.
      An invalid master admin phone number will cause lockout - the portal will not be accessible when SMS Authentication is chosen.
  6. To use email authentication, in Select 2FA Delivery Method for Admin, choose Email Authentication.. 

    1. Enter a valid email in the Enable Two Factor Authentication for Admin Logins field, above the Enable
    2. In Set Admin 2FA Code Timeout, set the time in minutes that you want the temporary log-in code to remain valid.

Enable Two Factor Authentication for Super Admin  for Multi-tenancy control panel access

From FileCloud v12 onwards, superadmin logins can be required to use 2FA to access the Multi-tenancy control panel. 

Open "multi.php" (In ubuntu it is at /var/www/config/ and in Windows it is typically at c:\xampp\htdocs\config)

Add the lines:

  define ("TONIDOCLOUD_SUPER_ADMIN_EMAIL_ID", "email@company.com");
  define ("TONIDOCLOUD_ENABLE_SUPER_ADMIN_2FA","1");
 

In case the lines are commented "//", please remove the double slash symbol at the beginning of the line and save the changes.

Note that you need to provide valid email . If the email is invalid, then the Multi-tenancy control panel cannot be accessed.

  • No labels