Multifactor Authentication

Multifactor authentication is the process of verifying the identity of a user in which the user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

Two-factor authentication (2FA), a subset of multi-factor authentication, is a method of confirming users' identities by using a combination of different factors: 1) something they know, 2) something they have, or 3) something they are. A common example of 2FA is withdrawing money from an ATM: only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.

EFT offers multi-factor authentication (MFA) for recipients in the Pickup portal, with which a time-based one-time passcode (OTP) is delivered automatically to the recipient's email address or via text message. When attempting authentication, the account is locked out for 5 minutes after 5 failed attempts in a 5-minute period. If the first attempt fails, a user can repeat registration and get a new verification code after 5 minutes have passed since the previous registration attempt.

Refer to Enable and Configure the Send Portal for MFA settings in Workspaces.

NOTE: 2FA does not apply to the following situations: Anonymous TWS (authentication is not required for those messages), protocols other than HTTP/S, and EFT managed clients (MTC, RAM, Outlook Add-In). The Outlook Add-In does not require the Advanced Property "UserAgentHeaderMustUseOTP" to be entered since we allow the OAI to work by default.

How does MFA work in EFT?

  1. When logging in to the WTC, if the Require additional factor for HTTPS auth check box is selected and configured (shown below), the WTC prompts for a passcode, and informs the recipient to check their email or text messages.

  2. EFT generates a OTP and sends it in an email or text message to the recipient. (The user account details must include their mobile phone number to use SMS; otherwise the email address is used. Therefore, for ad hoc interactions, you should specify email delivery of the OTP.)

  3. The recipient checks email/text, and copies the passcode to the clipboard (or clicks the link).

  4. The recipient pastes the passcode (or follows link) in the WTC.

  5. If the passcode is verified, the WTC allows access.

To enable and configure MFA

For SMS to work, you must first define an SMS profile on the Site > Connections tab. To enable MFA in Workspaces, refer to Enable and Configure Folder Sharing (Workspaces).

  1. On the Site > Connections tab, enable and configure HTTPS, if not already done. (The MFA settings are inherited from the Site level, but you can enable or disable it on the Settings Template level also. You cannot enable/disable MFA at the user level.)

  2. Select the Require additional factor for HTTPS auth check box. EFT does a quick scan of all users under that Site or Template, and if one or more users is found without an email address or mobile phone number defined, a prompt is displayed.

  3. Click the OTP drop-down list. In the OTP list, select the method of delivery:

    • OTP - Email delivery - EFT does not verify whether SMTP server configuration is completed correctly

    • OTP - SMS delivery - If no mobile number is available for the user, SMS delivery will fail.

    • OTP - Try SMS then Email - EFT first looks for mobile number in the user details. If no mobile number is defined, the email address is used.

  1. To configure the Twilio for your SMS provider, use the settings provided when you set up your Twilio account. Click SMS Config. The SMS Profiles dialog box appears:

  2. New - Opens the Create SMS Profile dialog box:
    • Click New to create a new SMS profile (as a generic SMS or with a custom verification code).

  3. Modify - Opens the Twilio SMS Settings dialog box for a selected profile
    1. Provide the Twilio Account SID copied from your Twilio account.

    2. Provide the Auth Token copied from your Twilio account.

    3. Provide the Twilio Number copied from your Twilio account. You must include the country code and the + PLUS SIGN (that is, in the USA, +1) in front of the number.

    4. Provide the Message that will be sent in the SMS, but keep the variable %Account_Session_OTP%. This variable is used by EFT to send the OTP. Do not edit anything between the percent symbols.

    5. Provide the Post URL copied from your Twilio account.

    6. Configure a Proxy, if needed. Refer to Defining a Proxy for details.

    7. Click Test to verify the connection.

    8. If the test is successful, click OK, then click Apply to save the configuration.

  4. Delete - Deletes a selected profile
  5. Test - Allows you to send a test SMS message using the selected profile
  6. Appoint - Assigns the selected profile to the Site.
  7. On the Server > General Tab, edit the Authentication OTP message, if needed.

Important notes to consider

Multifactor activation is only applicable where account registration is required, and thus is not applicable to:

  • Drop-off portal (no account is registered)

  • Reply portal (you cannot reply unless you first pickup, which does require registration)

  • Anonymous interactions (no account is registered)

EFT skips 2FA for following user agents:

  • Anonymous ad hoc transfers (Send passcode via other means.)

  • Protocols other than HTTP/S

  • GlobalSCAPE-EFTApplet

  • JFileUpload

  • MSFT File Transfer Tool

  • EFT-Mobile-Client

  • Desktop Transfer Client

  • GlobalSCAPE-scClient

  • EFT-Outlook-Addin

  • Load Balancer Agent

  • ELB-HealthChecker/

  • EFT Remote Agent

  • When certain user-agents are defined.

If MFA is enabled, then that additional factor (OTP) will be required and enforced by EFT. The exception to this rule is when the user-agent header is on EFT’s list of special agent-headers (RAM agents, MTC, CuteFTP/9, OAI, etc.).

  • In addition, an advanced property override (UserAgentHeaderSkipOTP) is available so that administrators can add additional headers to the list, which would allow for non-Globalscape controlled clients (such as Fiddler, FileZilla, etc.) to connect over HTTPS but skip 2FA/MFA. If not defined in the advanced property exclusion list or hard-coded exclusion list, then regardless of header, the additional factor will be required to complete authentication. For example:

For CuteFTP v9.3 or later, you could use the following advanced property to whitelist the user agent and connect successfully:

"UserAgentHeaderSkipOTP":"CuteFTP/9.3"

To skip the OTP for the Edge browser when OTP is enabled.

"UserAgentHeaderSkipOTP":"Edge/18.18363"
  • If the OTP provided is incorrect, EFT will retry a few more times over a short period. If after all permitted retries have been exhausted, EFT will fail registration/verification, and the account will not be created nor associated with the Workspace, and all data will be discarded. (During the time when an “unverified” user is trying but failing to complete their verification, a “valid” user can still complete the registration/verification process.)