Multi-factor authentication (MFA) is a security mechanism where users must provide two or more pieces of evidence, or factors, before being allowed access to a product or service, such as Box. Most common is 2-factor authentication (2FA), where users are required to authenticate from 2 of:
Factor | Definition | Example |
---|---|---|
Knowledge | Something only the user knows. | Passwords |
Possession | Something only the user has. | Hardware and software keys |
Inherence | Something only the user is. | Fingerprints |
If your organization does not use single sign-on (SSO) for authentication, Box enables users to set up 2-factor authentication for their accounts. The first factor is a standard password. The second factor is a one-time password (OTP), which is the possession factor, sent via the chosen method. You can choose authenticator apps, SMS, or email for the second factor.
- Authenticator apps use algorithms to generate one-time passwords, which are are unique random passwords generated on demand by authenticator applications. These one-time passwords expire after a defined period of time, often a number of seconds or minutes. Box 2FA supports authenticator apps that are compliant with the TOTP (time-based one-time password) algorithm, which is defined by the Internet Engineering Task Force specification, IETF-6238. Applications that follow this specification include Google Authenticator, Microsoft Authenticator, Authy, Duo, and LastPass, however, your administrator may require that you use a specific TOTP-compliant authenticator app.
- SMS is short message service, the text messaging you use on your phone, and receives one-time passwords created from a secure random generator.
- Email, similar to OTP authentication, sends a code to the user's selected email to access their Box account. This method ties login access to a user's email, preventing access from former users.
Note
Box recommends using a supported authenticator app as your second 2FA method. There are known issues with using SMS for 2FA, including:
- SMS may not be available because a user is traveling, offline, or in a country that does not support 2FA through SMS. Also, once you share a secret with an authenticator app, such as scanning a code with the app, the app is self-sufficient and no longer needs a network connection to generate future one-time passwords.
- There are known SMS security vulnerabilities, such as SIM swapping.
However, using an authenticator app is not supported for FTP access to Box for non-SSO (single sign-on) customers. If you enable 2FA and want to access Box via FTP, you must use SMS for 2FA.
The administrator of your Box enterprise may require 2FA to be used for external collaborators. If so, the administrator may also require that the 2FA method be via an authenticator app, or the administrator may also allow 2FA via SMS.
Box also provides backup codes when you use an authenticator app to allow login if your MFA device is not available, such as when you are in an area with no cellular signal, your device was lost or stolen, or you have a new device.
After the initial successful login, Box will remember the browser and you will not be prompted for 2FA if you need to log in again. Only clearing the browser's cache and cookies will re-prompt 2FA.
You can enable only one of authenticator app, SMS, or email for 2-factor authentication, and only if your organization does not use single sign-on (SSO) for authentication. If it does, the 2-Step Verification section is not visible in your account settings.
To enable authentication app 2-factor authentication for your individual account:
- Go to Account Settings > Account.
- In the 2-Step Verification section, click Set Up.
- Click Set up.
- Select Authentication App (recommended) and click Next.
- Open the authentication app on your phone and scan the QR code. (You can also enter the secret key located under the QR code into the authenticator app manually.)
- Enter the code you received in the authenticator app and click Submit.
- Enter a phone number for verification, which would be used by Box support to verify your identity in the case where you are not able to authenticate in the app, and click Submit.
- Copy the backup codes. Once copied, paste them into a file only you have access to and save the file somewhere secure.
- Click Complete.
To enable SMS 2-factor authentication for your individual account:
Note
Your Box administrator may not allow SMS as an authentication method. If so, this option will not be available to you.
- Go to Account Settings > Account.
- In the 2-Step Verification section, click Set Up.
- Click Enable.
- Select SMS Text Message and click Next.
- Enter your phone number and click Continue. See Supported countries for a list of countries that support 2FA via SM.
- Enter the code you received as a text message and click Submit.
If you need to limit who has access to your Box content, using Email MFA can make it so only current users have access to the content.
To enable Email 2-factor authentication for your individual account:
- Go to Account Settings > Account.
- In the 2-Step Verification section, click Set Up.
- Click Set Up.
- Select Email and click Next.
- The following window confirms you’ll use email MFA to sign in. Click Submit to continue.
- Select the email you’d like to use for the Box login.
- Enter the code sent to the email you selected for MFA.
After setting up MFA with your email, you're notified that email MFA is required the next time you login.
To remove a multi-factor authentication method from your individual account:
- Click on your account icon in the top-right corner of the page, and select Account Settings.
- Under the Account tab, scroll to the Authentication section.
- Click Remove next to the authentication method you want to remove, and then click Remove in the confirmation dialog box.
Note
If your administrator requires you to use multi-factor authentication and you remove all methods, you will have to add one before you can get authenticated next time you sign in.
Supported countries for SMS
Box offers SMS (text message) as the second authentication factor, and the following countries support this method as of September 2019:
Africa and Middle East: Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Cape Verde, Central Africa, Chad, Comoros, Congo, Djibouti, DR Congo, Equatorial Guinea, Ethiopia, Eritrea, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Iran, Iraq, Israel, Ivory Coast, Lebanon, Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Morocco, Mozambique, Namibia, Niger, Nigeria, Reunion/Mayotte, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Sudan, Swaziland, Syria, Togo, Tunisia, Uganda, Yemen, Zambia, Zimbabwe
Asia: Afghanistan, Azerbaijan, Bangladesh, Bhutan, Brunei, Cambodia, China, East Timor, Georgia, Hong Kong, India, Japan, Korea Republic of, Kyrgyzstan, Laos PDR, Macau, Malaysia, Maldives, Mongolia, Myanmar, Nepal, Pakistan, Singapore, Sri Lanka, Taiwan, Tajikistan, Turkmenistan, Uzbekistan, Vietnam
Europe: Albania, Andorra, Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Germany, Gibraltar, Greece, Greenland, Guernsey, Hungary, Iceland, Ireland, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Macedonia, Malta, Moldova, Monaco, Montenegro, Netherlands, Netherlands Antilles, Norway, Poland, Portugal, Romania, San Marino, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Ukraine, United Kingdom
North America: Anguilla, Antigua and Barbuda, Aruba, Bahamas, Barbados, Belize, Bermuda, Canada, Cayman Islands, Costa Rica, Cuba, Dominica, Dominican Republic, El Salvador, Grenada, Guadeloupe, Guatemala, Haiti, Honduras, Jamaica, Martinique, Mexico, Montserrat, Nicaragua, Panama, Puerto Rico, St Kitts and Nevis, St Lucia, St Pierre and Miquelon, St Vincent Grenadines, Trinidad and Tobago, Turks and Caicos Islands, United States, Virgin Islands, British, Virgin Islands, U.S.
Oceania: American Samoa, Australia, Cook Islands, Fiji, French Polynesia, Guam, Marshall Islands, Micronesia, New Caledonia, New Zealand, Norfolk Islands, Niue, Palau, Papua New Guinea, Samoa, Solomon Islands, Tonga, Tuvalu, Vanuatu
South America: Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Falkland Islands, French Guiana, Guyana, Paraguay, Peru, Suriname, Uruguay, Venezuela
If you're locked out of your account
If you find yourself locked out of your account due to a changed phone number, or for some other reason cannot access the confirmation codes sent to your mobile device, please contact your primary admin, who can disable 2FA on your account. Business Plus and Enterprise admins can use the instant login feature in the Admin Console to disable 2FA in a user's Account Settings.
If you are in a Personal, Starter or Business account, please reach out to Box Product Support for assistance.