This topic describes the options to implement two-factor authentication (2FA)/multi-factor authentication (MFA) within Syncplicity if single sign-on (SSO) is enabled. Generally, there are two audiences that 2FA/MFA can be applied to:
- Your company’s (internal) user accounts.
- External recipients of files that were shared by your company’s (internal) users.
For details on user authentication, see About user authentication.
For details on configuring SSO, see Configuring single sign-on.
Your company’s (internal) user accounts
By enabling SSO, Syncplicity authenticates your company users via your IdP, including any 2FA/MFA configured in your IdP. If your SSO currently requires specific user authentication, Syncplicity will support/utilize the same requirements, such as:
- User name
- RSA SecureID
Mobile devices with no SSO
There are two scenarios that can be used to implement 2FA/MFA for your mobile device users that are not SSO enabled.
- Scenario 1: If you are using Mobile device management (MDM) to monitor, manage, and secure your employees' mobile devices, then your company's MDM solution should be capable of implementing 2FA/MFA on mobile devices.
- Scenario 2: If your employees' mobile devices are unmanaged (for example, their personal devices), your admin can use a Syncplicity mobile setting policy to set a second authentication step (2FA). This setting would force your mobile device users to additionally enter their security PIN/passcode.
For details on the mobile security polices, see the article Mobile security policies.
External recipients of shared files
There are two scenarios that can be used to implement 2FA/MFA for authenticating external users to log in to Syncplicity, who are recipients of files that were shared by your company’s (internal) users.
Both scenarios require these external to be added into your company IdP.
- Scenario 1: After you add these external users into your company IdP, follow the same steps you would use to implement 2FA/MFA for your internal user accounts. This scenario provides your company with full control over these external users as they are managed the same as if they were internal users. This scenario is the easiest to manage; although, it may raise a security issue due to the lack of segregation.
- Scenario 2: Implement a 2nd instance of Syncplicity Enterprise Edition and configure its SSO to a dedicated IdP for these external users. If the external user already has an existing Syncplicity account, their IdP may implement 2FA/MFA. Keep in mind, there is not way to enforce this, for example:
- If you share folders and files with my personal (yahoo) account, then my login will use only username + password.
- If you share folders and files with my Syncplicity account, then my login will use the Syncplicity IdP which can include 2FA/MFA if it is configured.
Due to this issue, sharing folders with external recipients is limited; although, when sharing files with external recipients, your company admin can apply protection that forces recipients to log in and enter a password. For example, in order to use the shared link, the external recipient must log in (username and password) and enter the link password. This provides 2FA for the shared file link. For more information, see Create a secured shared link in the article Sharing a file.