Multifactor authentication

Multifactor authentication adds an extra layer of security.

MFA is enforced for the following scenarios in Faspex 5:

  • Sending a package using a user invitation
  • Sending a package using a shared inbox invitation
  • Downloading a package using a public download link

Prerequisites

To enforce MFA for package downloads:
  1. Go to the Admin > Security > Advanced collaboration page.
  2. Under Package downloads select the Anyone with the link can download option.
  3. Turn the Require a verification code to download packages slider On.
To enforce MFA for package uploads:
  1. Go to the Admin > Security > Advanced collaboration page.
  2. Scroll down to the end of the page and turn the Require a verification code to upload packages slider On.

Configure MFA

After enabling MFA for either downloads or uploads, you will encounter the following settings:
  • Total number of attempts allowed: Set the maximum number of attempts allowed. Default is set to 3.
  • Verification code expires after (minutes): The amount of time after which the MFA code expires.

Locked out state

Links can be temporarily locked after repeated failed verification attempts to protect against unauthorized access.

The lockout behavior follows an escalating pattern:

  • After exhausting all allowed attempts, the link is temporarily locked for 1 minute.
  • Once the 1-minute lock expires, the user has one more attempt.
  • If this attempt also fails, the link is locked for 15 minutes.
  • After the 15-minute lock, any further failed attempts will cause the link to be locked for 1 hour.

This escalating lockout policy helps protect against brute-force attacks while still giving users a fair chance to recover access.