Multi-Factor Authentication for User Portal

Enable multi-factor authentication for user portal 

To enable multi-factor authentication for logging into the user portal: 

1. In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click Policies .
   The Policies page opens.

   

2. Edit the policy of the users who will use MFA.

3. Click the MFA tab.

4. Enable Require multi factor authentication.
   Additional fields appear for setting up MFA.

   

5. In the MFA Mode drop-down list, choose one of the options:

   • Single Method - Users must use the single authentication mechanism that you enable on this tab.

   • Multiple Methods (User Choice) - Users may choose one of the authentication mechanisms that you enable on this tab.

   • Primary and Backup Methods - Users may choose (and must set up) two of the authentication mechanisms that you enable on this tab, one as a primary method and one as a backup. On initial login, users choose the primary and secondary methods and do any set up necessary for them . On future logins, they are prompted to use the primary method on login, but can switch to the backup.

6. Depending on which of the methods you have chosen in MFA Mode, choose one or more of the following mechanisms:

   • Email Mechanism - Sends a one-time authentication code to the user’s email address.

   • SMS Mechanism - Sends a one-time authentication code via the user’s SMS number.
     If you choose SMS Mechanism, an SMS Provider Setup field appears below it. Choose either Twilio, our default SMS gateway provider or Custom if you are adding a custom provider.
     For more information about setting up your SMS provider, see Multi-factor authentication.

     

   • TOTP Mechanism - Generates a one-time authentication code via the user’s authentication app.

   • DUO Mechanism - Enables the user to use their DUO app to either get a one-time code.
     

6.  If you choose SMS Security and users are permitted to create accounts, add the following setting that enables users to add a phone number when creating a share with an external user:

• Open the configuration file:
  Windows: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
  Linux: /var/www/config/cloudconfig.php

• Add the line:

  define ("TONIDOCLOUD_ENABLE_2FA_SMS_SHARE_INVITES", TRUE);
  

What Users See

When you require multi-factor authentication for a certain policy, the choices given to users in that policy depend on both the MFA Method you choose and the MFA Mechanisms that you enable.

• MFA Mode: Single Method
  Mechanism enabled in this example: Email
  When users in this policy log in, they see:

  

  
  

• MFA Mode: Multiple Methods (User Choice)
  Mechanisms enabled in this example: Email, SMS, TOTP, DUO
  When users in this policy log in, they see:

  

  
  

• MFA Mode: Primary and Backup Methods
  Mechanisms enabled in this example: Email, TOTP, DUO
  When users in this policy log in, they are prompted to choose a primary verification method:

  

  If, for example, a user selects Email, they are prompted to log in with a code sent through email, and then they are prompted to choose a secondary verification method:

  

  If the user chooses TOTP, they are prompted to set up TOTP login.
  When they log in again, they are automatically prompted to enter a code sent to email, but they are also given the option of switching to TOTP:

  

Multi-factor authentication using DUO security

FileCloud can be set up to use DUO security service to perform MFA. Note that DUO PUSH is not supported and requires code generated by DUO Mobile app to be entered to perform MFA.

The following steps are required to set up MFA using DUO.

1.  ADD DUO Auth API

• Follow instructions at https://duo.com/docs/authapi to get integration key, secret key, and API hostname.

  

• In the FileCloud admin portal, open the DUO Security settings page.

  To go to the Duo Security settings page

  1. In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click Misc .

  2. In the inner navigation bar on the left of the Settings page, expand the Misc menu, and click DUO Security, as shown below.
     
     

  The DUO Security settings page opens.
  

1. Fill in the Duo Auth API Security Settings fields on the page.
   

   

   
   
   

2. Add DUO Admin API

   • Follow instructions at https://duo.com/docs/adminapi to get values for integration key, secret key, and API hostname

   • Ensure it has Grant read resource permission.
     

     

   • In the FileCloud admin portal, go to the DUO Security settings page. 

   • Fill in the Duo Admin API Security Settings fields on the page.

     

   • Now follow the instructions above to enable MFA and specify the MFA mechanism as Duo Security.

     
     Note: When users who are enrolled in the Duo Admin Panel log in, they must use the text code from the default entry in their Duo App. When users who are not enrolled in the Duo Admin Panel attempt to log in, they are prompted to use a QR code scanner to enroll themselves, and then must use the text code from the entry they added in their Duo App. See Log in Using Multi-Factor Authentication for more information.

Reset TOTP or DUO settings  for a user

When a user loses a TOTP (Google Auth) app enabled device or if they need to reset the code for any reason, you can reset the Google Authenticator setup for that user using the following steps.

1. In the FileCloud admin portal, go to Users and click the Manage Policy icon in the row for the user. 

   

2. Click the MFA tab.

3. Click the Reset MFA Setting to enable the user to reset their authenticator code.

   

   
   After the secret is reset, the user is not required to redo the DUO setup on initial login as FileCloud will import access tokens from DUO automatically.
   New devices can be registered from the DUO Admin Panel using the DUO Enrollment Email feature.