Skip to end of metadata
Go to start of metadata

Two Factor Authentication (2FA) refers to the "Two step verification" process that is available in FileCloud v9.0 onwards and designed to provide an extra layer of security.

With this function, in order to access FileCloud servers, the user requires to know not only the password and username but also an extra security code that is made available to them. 


Two Factor Authentication to access User Portal

FileCloud administrator can enable Two Factor Authentication to access user portal. This can be done regardless of the authentication type (AD or LDAP etc).  


FileCloud support the following modes to deliver 2FA code

  1. Deliver code using user's registered email
  2. Google Authenticator TOTP Code
  3. DUO Security
  4. SMS OTP Security Code

Two Factor Authentication into user portal using user's registered email address

The general flow is shown below


Two Factor Authentication into user portal using TOTP (Google Authenticator or similar TOTP code generators)


These instructions are written with using Google Authenticator as an example TOTP code generator, however, ANY TOTP apps such as Microsoft Authenticator, DUO mobile app etc can be used.

With FileCloud v12.0 onwards, users can also log into the user portal using their credentials and Google Authenticator TOTP code. The Google Authenticator mobile clients are available for free on the mobile appstores.

The user will be required to setup the Google Authenticator once and then subsequently will need to provide the code generated by the Google Authenticator application in  order to login.

When user logs in for the first time, the user will be provided with an option to setup Google Authenticator. This involves entering a code or scanning a QRCode into the the Google Authenticator client. Once the it is setup for the first time the user will no longer be able to set it up again. Only Administrator can clear the Google Authenticator setup.

User will be required to use web browser to log in and setup the Google Authenticator . Once the Google authenticator is setup, other client devices can be used to connect to the FileCloud account.


Instead of Google Authenticator app, Microsoft or Duo Security apps can also be used to manage the TOTP code


The general flow is shown below



Two Factor Authentication using DUO Security

As of v17.3, FileCloud can be setup to use DUO security service to perform 2FA. Note that DUO PUSH is not supported and requires code generated by DUO Mobile app to be entered to perform 2FA.
The following steps are required to setup 2FA using DUO


 1: ADD DUO Auth API
  • Follow instructions at https://duo.com/docs/authapi to get integration keysecret key, and API hostname
  • Enter the information Admin Portal→ Settings→ Misc→Duo Security Tab under Auth API Security Settings and save 


 2.  ADD DUO Admin API

  • Follow instructions at https://duo.com/docs/adminapi to get integration keysecret key, and API hostname
  • Ensure it has "Grant read resource" permission
  • Enter the information Admin Portal → Settings→ Misc→Duo Security Tab under Admin API Security Settings  and save 



3. Open the Policies tab and select the policy (Select the Global policy if 2FA needs to be default )

4. Open the 2FA tab of the Policy

5. Select "YES" for Enable Two Factor Authentication

6. Select "DUO Security" for Two Factor Authentication Mechanism and save the policy






Two Factor Authentication using SMS OTP Security Codes


As of v19.2, FileCloud can be setup to use SMS security codes to perform 2FA. Currently, we have implemented Twilio as the default SMS Gateway Provider. In order to succesfully use SMS security, admins need to set up a Twilio account to receive the required security ID, authentication token and the phone number from which the codes will be sent. Note that you will also need to keep tabs on your account balance. 

 1: Create a Twilio account

  • Follow instructions at https://www.twilio.com/docs/sms to obtain the required SID, Auth Token and create a phone number.
  • Enter the information Admin Portal→ Settings→ Misc→SMS Security Tab and save it afterwards

An example setup should look like the following:

 

Once the setup is complete, you need to set up the policy for users and choose the appropriate SMS gateway provider, similarly to other 2FA methods.


Users will be required to set up a phone number once the SMS 2FA Policy is enabled. Once the phone number is set up, client devices can be used to connect to the FileCloud account. It is necessary to register the phone number via the web UI.


If users are required to use SMS with 2FA, they will see the following dialogues during login after the policy is enabled:




Enable Two Factor Authentication for User Portal (Global setting)

Administrator can enable Two Factor Authentication using the following steps

  1. Log into the Administrator Portal
  2. Navigate to "Settings"
  3. Select "Polices" Tab
  4. Under "2FA" heading, Change the "Enable Two Factor Authentication" drop down box to "Enabled"
  5. Select the "Two Factor Authentication Mechanism" to "Email" or "Google Authenticator" or "DUO" or "SMS" as needed.

Enable or Override Two Factor Authentication for specific user 

Administrator can enable Two Factor Authentication using the following steps

  1. Log into the Administrator Portal
  2. Navigate to "Users" and Edit the user 
  3. Select "Manage Policy" Tab
  4. Select the Effective  Policy associated with the user 
    1. Note that the policy could be a common policy (Could be global or group or additional users could be associated with a policy)
  5. Open the effective policy and navigate to 2Factor Authentication 
  6. Under "2 Factor Authentication" heading, Change the setting as needed (Global policy will use the current global setting value and is the default)



Reset TOTP or DUO settings  for a user

When a user loses TOTP (Google Auth) app enabled device or if they need to reset the code for any reason, The Admin can reset the Google Authenticator setup for that user using the following steps

  1. Login into the Admin portal
  2. Navigate to "Users" and Edit the user 
  3. Open the policy associated with the user by selecting the "Policies" button
  4. Select "Manage Policy" Tab
  5. Under "2 Factor Authentication" heading, Tap the "Reset" button for "Reset Google Authenticator Secret" option


Once the secret is reset, the user will be required to redo the 2FA setup on first login via browser if needed. 


Two factor authentication validity for Email based 2FA 


2FA Code validity: 10 minutes . This can be changed by adding a key with a different timeout as shown (This key can be added <WEBROOT>/config/cloudconfig.php).

define ("TONIDOCLOUD_2FA_EMAIL_EXPIRATION_MINUTES", "5");

For Web Apps, The 2FA validity period is tied to the Session Timeout

For Client apps (iOS , Android App, Drive and Sync) the 2FA code will be required only on very first access and subsequent access will not require the code. If the record of that device is removed using "Remove Client Device Record" action, then subsequent access for that mobile device will require the 2FA code.


Two factor authentication validity for SMS based 2FA 


SMS 2FA Code validity: 10 minutes by default. This can be changed by adding a key with a different timeout as shown (This key can be added <WEBROOT>/config/cloudconfig.php).

define("TONIDOCLOUD_2FA_SMS_CODE_EXPIRATION", 600);

For Web Apps, The 2FA validity period is tied to the Session Timeout

For Client apps (iOS , Android App, Drive and Sync) the 2FA code will be required only on very first access and subsequent access will not require the code. If the record of that device is removed using "Remove Client Device Record" action, then subsequent access for that mobile device will require the 2FA code.


Two Factor Authentication for Admin Portal

From v12 onwards, support for two factor authentication is available for Admin portal. Both site admin and super admin (for multi tenancy control panel) can be set to require additional code in order to access.

Two factor authentication for Admin supports only Email based 2FA. The code will be delivered to the email associated with the account.


Since 19.2, the way admins set up 2FA has changed - the admin can now select code sendout methods using a drop down (Email or SMS). In order to upgrade without hassle, it is advised to disable admin 2FA before upgrading, and set it up again.


The flow is same as user 2FA flow as shown below


Enable Two Factor Authentication for Site Admin

A site admin is the admin account to log into the Administrator portal of a specific site. To enable 2FA for the first time, please follow the steps

  1. Log into Admin portal
  2. Navigate to "Settings"
  3. Select "Admin" Tab
  4. Provide a valid email for the "Admin Email" field (when Email Authentication is chosen)
  5. Provide a valid admin phone number and choose a supported SMS provider for the Master Admin Phone Number and SMS Service Provider (when SMS Authentication is chosen)
  6. Enable checkbox for "Enable Two Factor Authentication for Admin Logins" option


Note that you need to provide valid email in the Admin Email field. If the email is invalid, then the Admin portal cannot be accessed! 


An invalid master admin phone number will cause lockout - the portal will not be accessible when SMS Authentication is chosen!





For SMS 2FA to work with the admin panel, the admin must set up a phone number. To do so, please check the box mentioned above, and fill in the required information. Note that since 19.2, the admin does have the ability to choose whether to use email or SMS for the admin portal. By setting the fields for SMS in the following manner, the master admin will now be able to log in using SMS OTP.

Enable Two Factor Authentication for Super Admin  for Multi-tenancy control panel access

From FileCloud v12 onwards, superadmin logins can be required to use 2FA to access the Multi-tenancy control panel. 

Open "multi.php" (In ubuntu it is at /var/www/config/ and in Windows it is typically at c:\xampp\htdocs\config)

Add the lines:

  define ("TONIDOCLOUD_SUPER_ADMIN_EMAIL_ID", "email@company.com");
  define ("TONIDOCLOUD_ENABLE_SUPER_ADMIN_2FA","1");
 

In case the lines are commented "//", please remove the double slash symbol at the beginning of the line and save the changes.

Note that you need to provide valid email . If the email is invalid, then the Multi-tenancy control panel cannot be accessed! 

  • No labels