Multi-factor authentication configuration

If you need additional security when accessing the FileHold application, the multi-factor authentication feature strengthens access security by requiring two methods to verify a user’s identity. FileHold supports multi-factor authentication (also called MFA, 2FA, multi factor) with the Duo ( “Trusted Users” service.

Direct multi-factor authentication with Duo has been deprecated as of January 2024. You can continue to use Duo if you are using an external identity provider that supports Duo and you configure that external identity provider for FileHold.

An alternate method for multi-factor authentication is to authenticate with an external identity provider such as Microsoft Entra Authentication. In this case, the method of multi-factor authentication is completely controlled within the external identity provider.

Duo MFA is used when configured in FileHold. Each standard FileHold client supports MFA including: FileHold Desktop Application (FDA), web client, mobile web client, and Courier client.

The MFA feature has three basic operations:

  1. User logs on to FileHold.
  2. FileHold application server contacts Duo to obtain an authentication. The user logging in selects the option to be authenticated: “push”, call, or text. If the user does not have a Duo account, they will need to register and/or download the app.
  3. Duo sends authentication to FileHold. The user is logged into FileHold if Duo successfully delivers the authentication.

An administrator needs to set up the Duo account at prior to configuring MFA in FileHold. This is the responsibility of the customer, not FileHold. Visit the Duo website for documentation.

Each user requiring authentication will also need to set up their own accounts with Duo. See the End User Guide for more information. MFA can be disabled for a particular user account. See Creating Locally Managed Users for more information.

The options to set the Duo username can be configured in C:\Program Files\FileHold Systems\Application Server\UserRoleManager. The following key can be set to "guid", "email", or "userid". "Guid" is the default username.

<add key="DuoUsername" value="guid" />


To configure DUO MFA

  1. The Duo administrator account needs to be configured at before the configuration in FileHold can occur. When setting up the application at Duo, select or search for the Web SDK in the Application list. Once the Duo account has been set up, the details needed for FileHold are provided on your account page. Review the Duo documentation for more information.
Duo configuration screen
  1. In the Administration panel in FileHold, go to System configuration > Security > Logon and click Configure in the “Multi-factor authentication is disabled area”.
  2. Select the Provider tab.
  3. Copy and paste the Integration key, Secret key and API host name in the corresponding fields on the Provider tab in FileHold and click Save Settings.
Multi-factor authentication configuration
  1. Click Test Connection.
  2. A message “Authentication is required. Please confirm your identity.” appears. Select one of the authentication methods. If you can't authenticate or aren't sure what to do, click Need help? on the left side of the Duo prompt.
  • Duo Push – Pushes a login request to your phone or tablet (if you have Duo Mobile installed and activated on your iOS, Android, or Windows Phone device). Just review the request and tap Approve to log in.
  • Call Me – Authenticate via phone callback.
  • Passcode – Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.
Multi-factor authentication settings - confirm identity
Duo push notification to phone

Example of Duo Push authentication method – notification sent to iOS Duo app

  1. Once authenticated, a message “Connection test to provider is successful. Enable multi-factor authentication now.Click the link to enable the MFA feature or select the Options tab.
  2. In the Options tab, select any of the following options:

Login is open to all users

Login is restricted to library administrators and higher

Login is restricted to system administrators

Click Change login restrictions to change who can currently access FileHold.

Update the Restricted Access area in the Library Configuration > Settings > General page.  Click Update to save login changes.

Enable multi-factor authentication

This option is disabled by default. A successful test must be completed before this check box can be enabled.

Clearing the check box does not affect the settings, but it will render them unused by the login process for all users.

Require multi-factor authentication when Integrated Windows Authentication is used.

For domain users.

This option is enabled by default.

Require multi-factor authentication for external users.

External users are those users who do not have a registered user account, such as external Courier users.

This option is disabled by default.

Require multi-factor authentication for portal alias users.

The user account set up for the Anonymous portal.

This option is disabled by default.

Require multi-factor authentication for limited registered users.

A user account that has been assigned to a group with a role of limited.

This option is enabled by default.


  1. Click Save settings. Users will now need to use Duo to authenticate their login.