Multi-factor authentication (MFA) is a security mechanism where users must provide two or more pieces of evidence, or factors, before being allowed access to a product or service, such as Box. Most common is 2-factor authentication (2FA), where users are required to authenticate from 2 of:
| Factor | Definition | Example |
|---|---|---|
| Knowledge | Something only the user knows. | Passwords |
| Possession | Something only the user has. | Hardware and software keys |
| Inherence | Something only the user is. | Fingerprints |
If your organization does not use single sign-on (SSO) for authentication, Box enables users to set up 2-factor authentication for their accounts. The first factor is a password. The second factor is a one-time password (OTP), which is the possession factor, and users can choose SMS or authenticator apps for their second factor.
- SMS is short message service, the text messaging you use on your phone, and receives one-time passwords created from a secure random generator.
- Authenticator apps use algorithms to generate one-time passwords, which are are unique random passwords generated on demand by authenticator applications. These one-time passwords expire after a defined period of time, often a number of seconds or minutes. Box 2FA supports authenticator apps that are compliant with the TOTP (time-based one-time password) algorithm, which is defined by the Internet Engineering Task Force specification, IETF-6238. Applications that follow this specification include Google Authenticator, Microsoft Authenticator, Authy, Duo, and LastPass, however, your administrator may require that you use a specific TOTP-compliant authenticator app.
Note
Box recommends using a supported authenticator app as your second 2FA method. There are known issues with using SMS for 2FA, including:
- SMS may not be available because a user is traveling, offline, or in a country that does not support 2FA through SMS. Also, once you share a secret with an authenticator app, such as scanning a code with the app, the app is self-sufficient and no longer needs a network connection to generate future one-time passwords.
- There are known SMS security vulnerabilities, such as SIM swapping.
However, using an authenticator app is not supported for FTP access to Box for non-SSO (single sign-on) customers. If you enable 2FA and want to access Box via FTP, you must use SMS for 2FA.
The administrator of your Box enterprise may require 2FA to be used for external collaborators. If so, the administrator may also require that the 2FA method be via an authenticator app, or the administrator may also allow 2FA via SMS.
To enable authentication app 2-factor authentication for your individual account:
- Click on your account icon in the top-right corner of the page, and select Account Settings.
- Under the Account tab, scroll to the 2-Step Verification section. (Note: You will not see this section if your organization uses single sign-on (SSO) for authentication.)
- Click Set up.
- Select Authentication App (recommended) and click Next.
- Open the authentication app on your phone and scan the QR code. (You can also enter the secret key located under the QR code into the authenticator app manually.)
- Enter the code you received in the authenticator app and click Submit.
To enable SMS 2-factor authentication for your individual account:
Note
Your Box administrator may not allow SMS as an authentication method. If so, this option will not be available to you.
- Click on your account icon in the top-right corner of the page, and select Account Settings.
- Under the Account tab, scroll to the 2-Step Verification section. (Note: You will not see this section if your organization uses single sign-on (SSO) for authentication.)
- Click Enable.
- Select SMS Text Message and click Next.
- Enter your phone number and click Continue. See Supported countries for a list of countries that support 2FA via SM.
- Enter the code you received as a text message and click Submit.
To remove a multi-factor authentication method from your individual account:
- Click on your account icon in the top-right corner of the page, and select Account Settings.
- Under the Account tab, scroll to the Authentication section.
- Click Remove next to the authentication method you want to remove, and then click Remove in the confirmation dialog box.
Note
If your administrator requires you to use multi-factor authentication and you remove all methods, you will have to add one before you can get authenticated next time you sign in.
Supported countries for SMS
Box offers SMS (text message) as the second authentication factor, and the following countries support this method as of September 2019:
Africa and Middle East: Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Cape Verde, Central Africa, Chad, Comoros, Congo, Djibouti, DR Congo, Equatorial Guinea, Ethiopia, Eritrea, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Iran, Iraq, Israel, Ivory Coast, Lebanon, Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Morocco, Mozambique, Namibia, Niger, Nigeria, Reunion/Mayotte, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Sudan, Swaziland, Syria, Togo, Tunisia, Uganda, Yemen, Zambia, Zimbabwe
Asia: Afghanistan, Azerbaijan, Bangladesh, Bhutan, Brunei, Cambodia, China, East Timor, Georgia, Hong Kong, India, Japan, Korea Republic of, Kyrgyzstan, Laos PDR, Macau, Malaysia, Maldives, Mongolia, Myanmar, Nepal, Pakistan, Singapore, Sri Lanka, Taiwan, Tajikistan, Turkmenistan, Uzbekistan, Vietnam
Europe: Albania, Andorra, Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Germany, Gibraltar, Greece, Greenland, Guernsey, Hungary, Iceland, Ireland, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Macedonia, Malta, Moldova, Monaco, Montenegro, Netherlands, Netherlands Antilles, Norway, Poland, Portugal, Romania, San Marino, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Ukraine, United Kingdom
North America: Anguilla, Antigua and Barbuda, Aruba, Bahamas, Barbados, Belize, Bermuda, Canada, Cayman Islands, Costa Rica, Cuba, Dominica, Dominican Republic, El Salvador, Grenada, Guadeloupe, Guatemala, Haiti, Honduras, Jamaica, Martinique, Mexico, Montserrat, Nicaragua, Panama, Puerto Rico, St Kitts and Nevis, St Lucia, St Pierre and Miquelon, St Vincent Grenadines, Trinidad and Tobago, Turks and Caicos Islands, United States, Virgin Islands, British, Virgin Islands, U.S.
Oceania: American Samoa, Australia, Cook Islands, Fiji, French Polynesia, Guam, Marshall Islands, Micronesia, New Caledonia, New Zealand, Norfolk Islands, Niue, Palau, Papua New Guinea, Samoa, Solomon Islands, Tonga, Tuvalu, Vanuatu
South America: Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Falkland Islands, French Guiana, Guyana, Paraguay, Peru, Suriname, Uruguay, Venezuela
If you're locked out of your account
If you find yourself locked out of your account due to a changed phone number, or for some other reason cannot access the confirmation codes sent to your mobile device, please contact your primary admin, who can disable 2FA on your account. Business Plus and Enterprise admins can use the instant login feature in the Admin Console to disable 2FA in a user's Account Settings.
If you are in a Personal, Starter or Business account, please reach out to Box Product Support for assistance.