Print

Multi-Factor Authentication Set Up for Your Account

Multi-factor authentication (MFA) is a security mechanism where users must provide two or more pieces of evidence, or factors, before being allowed access to a product or service, such as Box. Most common is 2-factor authentication (2FA), where users are required to authenticate from 2 of:

Factor Definition Example
Knowledge Something only the user knows. Passwords
Possession Something only the user has. Hardware and software keys
Inherence Something only the user is. Fingerprints

If your organization does not use single sign-on (SSO) for authentication, Box enables users to set up 2-factor authentication for their accounts. The first factor is a password. The second factor is a one-time password (OTP), which is the possession factor, and users can choose SMS or authenticator apps for their second factor. You can choose authenticator apps, SMS, or email for the second factor.

  • SMS is short message service, the text messaging you use on your phone, and receives one-time passwords created from a secure random generator.
  • Authenticator apps use algorithms to generate one-time passwords, which are are unique random passwords generated on demand by authenticator applications. These one-time passwords expire after a defined period of time, often a number of seconds or minutes. Box 2FA supports authenticator apps that are compliant with the TOTP (time-based one-time password) algorithm, which is defined by the Internet Engineering Task Force specification, IETF-6238. Applications that follow this specification include Google Authenticator, Microsoft Authenticator, Authy, Duo, and LastPass, however, your administrator may require that you use a specific TOTP-compliant authenticator app.
  • Email, similar to OTP authentication, sends a code to the user's selected email to access their Box account.This method ties login access to a user's email, preventing access from former users. 

Note

Box recommends using a supported authenticator app as your second 2FA method. There are known issues with using SMS for 2FA, including:

  • SMS may not be available because a user is traveling, offline, or in a country that does not support 2FA through SMS. Also, once you share a secret with an authenticator app, such as scanning a code with the app, the app is self-sufficient and no longer needs a network connection to generate future one-time passwords.
  • There are known SMS security vulnerabilities, such as SIM swapping.

However, using an authenticator app is not supported for FTP access to Box for non-SSO (single sign-on) customers. If you enable 2FA and want to access Box via FTP, you must use SMS for 2FA.

The administrator of your Box enterprise may require 2FA to be used for external collaborators. If so, the administrator may also require that the 2FA method be via an authenticator app, or the administrator may also allow 2FA via SMS.

Box also provides backup codes when you use an authenticator app or SMS as a second factor to allow login if your MFA device is not available, such as when you are in an area with no cellular signal, your device was lost or stolen, or you have a new device.

Enabling multi-factor Authentication

You can enable only one of authenticator app, email, or SMS for 2-factor authentication, and only if your organization does not use single sign-on (SSO) for authentication. If it does, the 2-Step Verification section is not visible in your account settings.

To enable authentication app multi-factor authentication for your individual account:

  1. Go to Account Settings > Account.
  2. In the 2-Step Verification section, click Set Up. (Note: You will not see this section if your organization uses single sign-on (SSO) for authentication.)
  3. Select Authentication App (recommended) and click Next.
  4. Open the authentication app on your phone and scan the QR code. (You can also enter the secret key located under the QR code into the authenticator app manually.)
  5. Enter the code you received in the authenticator app and click Submit.
  6. Enter a phone number for verification, which would be used by Box support to verify your identity in the case where you are not able to authenticate in the app, and click Submit.
  7. Copy the backup codes. Once copied, paste them into a file only you have access to and save the file somewhere secure. 
  8. Click Complete.

To enable email multi-factor authentication for your individual account:

  1. Go to Account Settings > Account. 
  2. In the 2-Step Verification section, click Set Up.
  3. Click Set Up.
  4. Select Email and click Next.
    • The following window confirms you’ll use email MFA to sign in. Click Submit to continue.
  5. Select the email you’d like to use for the Box login.
  6. Enter the code sent to the email you selected for MFA.

After setting up MFA with your email, you're notified that email MFA is required the next time you login.

To enable SMS multi-factor authentication for your individual account:

Note

Your Box administrator may not allow SMS as an authentication method. If so, this option will not be available to you.

  1. Go to Account Settings > Account.
  2. In the 2-Step Verification section, click Set Up.
  3. Select SMS Text Message and click Next.
  4. Enter your phone number and click Continue. See Countries not supported for SMS for a list of countries that do not support 2FA via SMS.
  5. Enter the code you received as a text message and click Submit.
  6. Copy the backup codes. Once copied, paste them into a file only you have access to and save the file somewhere secure.
  7. Click Complete.

Removing Multi-factor Authentication

To remove a multi-factor authentication method from your individual account:

  1. Click on your account icon in the top-right corner of the page, and select Account Settings.
  2. Under the Account tab, scroll to the Authentication section.
  3. Click Remove next to the authentication method you want to remove, and then click Remove in the confirmation dialog box.

Note

If your administrator requires you to use multi-factor authentication and you remove all methods, you will have to add one before you can get authenticated next time you sign in.

Countries not supported for SMS

Box offers SMS (text message) as the second authentication factor, and the following countries do not support this method as of February 2023:

 

Africa and Middle East: Iran, Syria

Asia: North Korea

Europe: Ukraine - Crimea, Donetsk, and Luhansk regions

North America: N/A

Oceania: N/A

South America: N/A

 

If you're locked out of your account

If you find yourself locked out of your account due to a changed phone number, or for some other reason cannot access the confirmation codes sent to your mobile device, please contact your primary admin, who can disable 2FA on your account. Business Plus and Enterprise admins can use the instant login feature in the Admin Console to disable 2FA in a user's Account Settings.


If you are in a Personal, Starter or Business account, please reach out to Box Product Support for assistance.

Related articles