Skip to main content
Skip table of contents

Preventing an attacker from bypassing 2fa

Beginning in FileCloud 20.1, FileCloud only allows a user to set their phone number once. Once the phone number has been added, the user must contact their admin to change it. This prevents an attacker from obtaining a user name and password and then modifying the user's phone number to bypass two-factor authentication (2fa). It also prevents an attacker who has obtained the original phone number from restoring it to prevent the user from realizing there has been an attack.

To enable a user to only set their phone number once, the following setting appears in the config file:

CODE 
define("TONIDOCLOUD_ENABLE_USER_SET2FASMS", 1);


To require users to contact their admin to set their phone number initially and to change it, set TONIDOCLOUD_ENABLE_USER_SET2FASMS to 0:

CODE 
define("TONIDOCLOUD_ENABLE_USER_SET2FASMS", 0);

In addition, to prevent an attacker from gaining access with another user's token, if a token is invalid, the system clears it and requires the user to sign in again.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close