Elevate Your Egnyte Expertise. Join our Customer Community to connect with a network of peers and share game-changing strategies. Join Today

Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Community Contact Support

SFTP with MFA: Authenticator App Support (Limited Availability)

Egnyte supports the ability to require Multi-Factor Authentication (MFA) for SFTP connections at the domain level. When enabled, users must authenticate with an authenticator app in addition to their password to connect via SFTP. This provides a second layer of protection for file transfers that cannot be enforced through SSO or Conditional Access policies, since SFTP traffic bypasses those identity controls entirely.

This feature is currently in Limited Availability for customers on Platform Plans. To request access, contact the Egnyte Products team.

Before Enabling

When the SFTP MFA setting is turned on, all SFTP users on the domain who have not enrolled an authenticator app will be blocked from connecting. This includes users who authenticate via SSO.

Before requesting enablement, ensure the following:

  • Turn on Two Factor Authentication in the domain by navigating to  Settings -> Configuration -> Security & Authentication -> Two-step login verification
  • All users who need SFTP access have enrolled an authenticator app on their Egnyte account using Time-based One Time Password (TOTP) ONLY (Authy and Phone-based MFA is not supported).
  • SFTP clients used by those users are configured to use the Interactive login type.

How It Works

Once the feature is enabled for the domain, connecting via SFTP will prompt users for their password followed by a 6-digit verification code from their authenticator app. To support this prompt, SFTP clients must be set to use the Interactive login type.

For example, in FileZilla, switch the login type from the default Normal to Interactive. The client will then prompt first for the password, then for the authenticator app code.

See example screenshots for the below example client applications.

FileZilla FTP Client (Windows and Mac)

If the Egnyte account has authenticator app-based MFA enabled, set Logon Type to Interactive instead of Normal. This allows FileZilla to prompt for password and then the authenticator app code.

WinSCP FTP Client

 If the Egnyte account has authenticator app-based MFA enabled, WinSCP will automatically prompt for both the password and a two-step verification code when connecting via SFTP. Enter password in the Password field and authenticator app code in the Two-step verification code field. No additional configuration is required. 

Limitations

This release supports Authenticator App (TOTP) based MFA only.

The following MFA methods are not currently supported for SFTP

  • Phone-based MFA (SMS/Voice)
  • Authy push notifications

Automated Workflows and Scripts

Authenticator app MFA requires a live human response and cannot be completed by an automated script. If automated workflows run under an account with MFA enabled, they will fail. 

To prevent disruptions, ensure all automated SFTP workflows use Service Accounts. Service Accounts are not subject to MFA requirements and are designed for secure, non-interactive access.

Additional Resources

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.