Use of the extra-verification step provided by multi-factor authentication should be measured against the level of access for a specific user class and the business value of the resources managed by MOVEit Transfer.

Note: These controls manage MFA for WebUI users and do not apply to SFTP (FTP over SSH) or FTPS sessions. Direct or command-line FTPS and SFTP sessions do not utilize the WebUI layer for sign-on but can use alternate forms of MFA, such as requiring both credentials and client certificates.

Allow Multi-Factor Authentication. Click to enable the full set of administrator controls.

Important: After you enable MFA, you must select at least one method (email or mobile device, for example) to deliver the one-time PIN to verify your users.

Determine if Users are Required, Exempted, or able to Self-Opt for MFA

You can require multi-factor authentication by each registered user class. You can also exempt users individually.

  • Require. Select a user class checkbox on the Enforce Multi-Factor Authentication panel. SETTINGS > Security Policies > User Auth > Multi-Factor Authentication
  • Exempt. Edit individual user profile to exempt user from a required policy. USERS > username > User Profile - User Settings - User Authentication - Multi-Factor Authentication
  • Allow one or More User Classes to Self-Opt. Select a method of verification but leave checkboxes blank on the Enforce Multi-Factor Authentication panel.
Note: It is best practice to notify users of any security policies that alter the sequence of steps or information needed at sign on before you apply these controls.