Box is adding new multi-factor authentication (MFA) requirements to certain critical Box admin actions as part of our effort to better protect admins against attack.
Admins have long been an appealing target for bad actors, as the damage that can be done with admin credentials and permissions is much higher than that of a regular user. We previously deployed some new protections to limit bad actors’ ability to leverage compromised admin accounts to create new admins, and are continuing secure admins by requiring an MFA check before admin accounts can make certain potentially high-risk or critical actions. We are starting with applying this new requirement to enabling/disabling MFA requirements for the organization.
These MFA checks will not be required for admins using SSO. For admins with MFA enabled prior, the check will be performed using the authentication factor (email, SMS, TOTP) that they have selected, and will default to email verification for admins without MFA enabled.
To learn more about how to set up Multi-Factor Authentication within your Box account, look here.