Multi-factor authentication (MFA) protects MOVEit Transfer WebUI accounts from unverified users when a user's account password is lost, stolen, or compromised.
Note: These controls manage MFA for WebUI users and do not apply to direct FTPS or SFTP (FTP over SSH) sessions. SFTP and FTPS services (which do not use WebUI sign-on) can use alternate forms of MFA, such as requiring both credentials and validation of a client certificates for successful sign-on.

To verify user identity, MOVEit Transfer gives users private access to a uniquely-generated verification code (made available by email or mobile app). This additional verification step ensures user sign on is genuine.

Allow Multi-Factor Authentication... Enables MFA, organization-wide. (Check this box to reveal the full set of MFA administrator controls)

(MFA Administrator Controls Panel)

  • Available Methods. View and select verification methods available to users.
  • Remember this Device. Enable users to bypass MFA from a device that was verified.
  • Enforce Multi-Factor Authentication. Implement MFA as policy across an entire user class. (For other classes it will be optional.)
  • Exempt a user. Decouple users from multi-factor authentication requirements altogether.

Best Practices for Applying MFA to Your Organization

Typical administrator tasks for 'roll-out' of multi-factor authentication follow:

1.

Check your site's data requirements.
  • HIPAA, SOX, PCI, and so on typically require identity verification controls (MFA, for example) for administrator users.
  • Email affected users to notify them of the upcoming roll out of a new verification process.
  • If needed for policy compliance, give a time window where the selected users can expect to see a change in their sign on process.
  • If optional only, you can explain the benefits through email using links from the MOVEit Transfer User Guide or the Sign On Help.

2.

Allow Multi-Factor Authentication...
  • Users can now opt in from MY ACCOUNT page to use designated methods (Available Methods).
  • (At their next sign in, users will be guided through the set up process.)

3.

Add Available Methods.

Required. You must select at least one method.

4.

Enable Remember this Device.
  • (Optional setting) Without this convenience, users will need to verify each time they sign in even after session timeouts.

5.

Enforce Multi-Factor Authentication. (As policy)
  • (Optional setting) Selected users will be required to set up their account and sign on using MFA at next sign in. Set up screens will guide them through the process.
  • Users using SAML at sign in will not be affected.
  • Individually exempted users will not be affected.
  • (Optional setting) Organize exempted users into groups for tracking purposes.
Note: To learn more about how MOVEit Transfer users interact with multi-factor authentication (at sign-on and in MY ACCOUNT settings) see the MOVEit Transfer User Guide.

How Does MFA Affect My Users?

Multi-factor authentication in MOVEit Transfer is:

  • Available to registered user classes. (Guest unregistered user classes have no MOVEit Transfer account and only package-level access.)
  • Optional to all when enabled, unless a MOVEit Transfer system administrator requires it as policy.
  • Never required for user sessions initiated on the same machine or virtual machine where MOVEit Transfer runs.
  • Never required for users leveraging SAML.
    Tip: Multi-factor authentication adds another step in the MOVEit Transfer user sign-on sequence. Users can eliminate this step by adding the current device to a list of trusted clients by selecting the "Remember this device" option at sign on.