FTP program that needs pin to access

Looking for a programs so clients can access just their files that e-mails them a new pin each time they try to access it.  So they enter their e-mail and password then the program e-mails them a new pin that they have to enter to access.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
nothing out of the box will do this.. you will have to roll your own.
nobody40Author Commented:
Crap...I'm not a programmer so I may be screwed.  :(
A bit of an odd request. Are you trying to do two factor authentication for some sort of compliance?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

nobody40Author Commented:
Yes for a legal client.
David Johnson, CD, MVPOwnerCommented:
Citrix Sharefile is probably what you're looking for.
nobody40Author Commented:
My client uses this site:  https://www.tlo.com/  and they have it in place so he wants it.
How access to files is made?
nobody40Author Commented:
Yes we need an FTP program, that we host, that has the two stage verification.
My guess is Tlo.com is using it for their website's "user login"
This would be much easier to implement for http (web authentication) than I suspect it will be for FTP

Just my opinion though
SmartFTP and Serv-U are two products that support two factor if you use SFTP.

You could also try to make use of OpenOTP and integrate it, but I figure somehow that above options would be easier.
I dont see how one could keep user partially authenticated until he receives mail.

Can you share formal requirement?
What you describe is OTP (implemented in least secure way possible) keys generated by server software.

Look at e.g. goole or battle.net authenticators for examples of OTP

When you say "FTP" are you looking to use this for traditional FTP (FTP client reqired)?


file uploads from a webpage? (Like uploading a picture on facebook)?
Fred MarshallPrincipalCommented:
It seems to me that *email* isn't a particularly good way to meet the objective.
But then, I'm no expert on this.....
Perhaps others will comment.
[It seems to me that *email* isn't a particularly good way to meet the objective]

I'd be more concerned if the emailed password was permanent

The password here appear to be single use, sent to the users email address
(I'm assuming on file) once used it's (again I'm assuming) deleted until a new password is generated on the next login
Fred MarshallPrincipalCommented:
I think the issue is the *state* of the login while awaiting email to arrive.
That seems an awkward implementation.
Agreed, but that would depend on if the term "FTP" is being used correctly by the OP

If these are HTTP events then after account authentication, the user would simply be at a screen prompting for a "PIN" before he/she could continue

I see this being much easier to implement with HTTP "FTP/SFTP"
nobody40Author Commented:
Setting this up so clients can log in and view their surveillance videos and download them.  Passwords would be changed every 30 days.  So that site I listed has it so when you key in your user name and password it then asks for a pin that changes each time you log in....they e-mail or text you the pin each time.
Ok, so this is for a "Web portal" rather than a FTP server

Easy enough to implement

You'll need a programmer (I'd recommend one at least familiar with session management).  

At a minimum, your web server will need a DBMS, a SSL certificate (HTTPS), and the ability to send email.

You'll need to work with him/her to determine what other dependencies (if any) your project will have, and ensure that your web server has what's needed

I would also suggest you also consider blocking IP's after (x) number of failed login attempts (5 - 10 min should suffice)

-- Just my opinion


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.