Box has an ongoing effort to better protect admins against bad actors through requiring multi-factor authentication (MFA) before performing critical actions in the admin console. We’ve now classified changing SSO as a critical action and will be including it under this extra layer of verification.
Since the damage caused by compromised admin credentials and permissions can be so much higher than that of a regular user, we are continuing to add new protections to secure our critical Box admin users. We previously deployed some new protections to harden admins against attack, including:
-
Adding zero trust protections to restrict bad actors’ ability to leverage compromised admin accounts to create new admins
-
Requiring an additional MFA check before allowing admins to change MFA requirements for the organization.
-
And now, we are expanding those additional MFA check requirements to include changes to SSO requirements for the organization
Another update to these protections, going forward these additional checks will also be required for admins using single sign-on (SSO). As in the prior enhancement, for admins with MFA enabled prior, the check will be performed using the authentication factor (email, SMS, TOTP) that they have selected, and will default to email verification for admins without MFA enabled or for SSO enabled admins.
To learn more about how to set up Multi-Factor Authentication within your Box account, look here.