Box adds an extra layer of security to prevent bad actors from performing critical actions in the Admin Console. For certain actions, an Admin or Co-Admin must complete an extra level of authentication before those actions can be completed. These actions are:
- Add, change, or delete MFA (multi-factor authentication) settings
- Enable or disable the SSO Required setting
When an Admin or Co-Admin performs any of these actions, they will be required to perform multi-factor authentication (MFA) to complete the action, based on the following:
- If the Admin or Co-Admin is enrolled in MFA, they will be presented with the challenge based on their authentication method.
- If the Admin or Co-Admin is not enrolled in MFA, they will be presented with an email MFA challenge. At this stage, upon completing the challenge successfully, they will NOT be enrolled in MFA.
- If the Admin or Co-Admin is SSO enabled, they will be presented with an email MFA challenge.
Note
After you enter an MFA challenge correctly, there is a 15-minute grace period in which you can perform other critical actions and not get another MFA challenge.