Starting in version 12.5, Cerberus FTP Server supports two-factor authentication for user and client log-ins on our server and web client. This guide will cover the most frequent questions regarding using and implementing 2FA with Cerberus.
What is Two-Factor Authentication?
Two-Factor Authentication (2FA) is an additional access security method that requires a two-step log-in process consisting of:
- An input the user created, such as a password or the answer to a personal security question.
- Something the user has, such as a designated device or external account that can receive a randomized code in real-time with a short expiration period.
Does 2FA Matter for Secure File Transfer?
Why is 2FA important for secure file transfer if your FTP server uses modern encryption to send files? The answer is that most file transfer systems’ greatest vulnerability will be user-client access. According to Verizon, more than 80% of data breaches involve brute force or the use of lost or stolen credentials.
The COVID-19 pandemic accelerated and normalized the growing remote work trend, and the soaring number of endpoints and networks this new hybrid environment has created significantly multiplies access risk. Administrators must now authenticate users, validate credentials, and provide secure access for employees wherever they may travel outside of the company network. This is not an easy challenge, especially in organizations with significant ad hoc/peer-to-peer data transfer, and 2FA helps provide a second line of defense against phishing and theft-based attacks.
How to Set Up 2FA
- Choose your Application
First, choose an authenticator application that meets your administrative, infrastructure functionality and security needs. There are many applications to choose from, and Cerberus recommends Google Authenticator, DUO, or Authy 2-Factor Authentication phone apps.
- Choose Your Delivery Method
Multiple options exist to support 2FA delivery:
- SMS/Email Authentication: One of the most common consumer-friendly 2FA methods involves the user supplying a phone number or email address, and the file transfer server sending a one-time code via SMS text to that phone number to confirm log-in.
While this method is straightforward, it does have security downsides in situations where:
- Password resets via SMS text are allowed, which are vulnerable to phone number takeover hacks or
- Organization users traveling abroad.
- User device security itself is weak.
Best practices for this option include:
- Display the complete identifier in the interface to prevent user typos.
- Limit the time on these codes to one every 30 seconds to 1 minute before expiring.
- Have the user confirm the phone number or email before you send the OTP to prevent typos.
- Set up an account recovery process to assist users who change phone numbers or forget their log-in credentials.
- The first time a user sets up a phone or email, send a one-time password to a phone number or email address the first time a user provides it. After that, mask the details of the phone number or email address to prevent phishing. For example, (555) ***-**** or a****g***@g***.com
- Time-Based One-Time Passwords (via Authenticator Apps & Tokens): This 2FA method requires the user to install an authenticator app or have access to a purpose-built security device that provides Time-Based One-Time Passwords (TOTPs) when prompted to log in. Many users are familiar with Google Authenticator as one option, while those in the financial services industry have used physical RSA Tokens. The Authenticator will then provide regular codes that will be checked against your system for validity.
We have found that many administrators prefer this option, as it provides an “Approve”/”Deny” pop-up dialog embedded directly within Cerberus FTP Server that can be more proactively managed.
Apps & Tokens protect against some phone vulnerabilities from takeovers and spoofing but are still vulnerable against theft. They also add a layer of friction for users who frequently access secure systems.
- Push-Based 2FA: instead of relying on codes, push-based authentications send a prompt to a previously authorized device to confirm a log-in, which usually provides an estimated location as well. Because the push-based alerts are tied to a specific device and include location/IP address information, they are somewhat more resistant to phishing hacks (if your users are paying attention to the warnings in the prompts).
This method is newer than other 2FA approaches and is not yet fully standardized, so it will require more administrative setup and management. It also requires your users to have a data connection, which may not be ideal in organizations with traveling users.
- Universal Second Factor Authentication: This approach requires administrators to provide users with a secondary device such as a USB or Bluetooth key that is registered with the company, then is required to be provided at all future log-ins in addition to the username and password.
These keys are site-specific, which helps eliminate phishing attacks, but are not universally supported and are difficult to implement for mobile users. Procuring the additional devices also can carry a significant cost compared to the other methods listed above.
We hope that you’ve found the information helpful. To learn more about authentication, check out these resources, including the JSCAPE by Redwood blog on multi-factor authentication or MFA.