Box Status
Print

Configuring Multi-Factor Authentication

has_image , 2fa , Article , New , Instruction , Secure

Box multi-factor authentication (MFA), sometimes known as two-factor authentication (2FA), enables you to increase your content security and better protect your enterprise's content from unauthorized external access. It requires users to periodically authenticate with more than one method when they log in to Box. You can enable or disable multi-factor authentication for

  • All of your organization's managed users.
  • All of your organization's external collaborators, or just for specific external collaborators based on their domains or their email addresses.

This topic describes how to configure multi-factor authentication for your managed users and for your external collaborators.

Note

Making changes to your multi-factor authentication settings for managed users is considered a "critical action" in the Admin Console, and for security reasons, requires MFA also for the Admin performing the action.

Configuring Multi-Factor Authentication for your Managed Users

  1. Go to Admin Console > Enterprise Settings > Security.
  2. In the Multi-Factor Authentication section, enable Require multi-factor authentication for all managed users.
  3. Configure the Authentication Method and Authentication Frequency. See the Multi-Factor Authentication section in Enterprise Settings: Security Tab for details. 
  4. Select Save.
    When you enable and save this setting, Box sends email notifications to all of your existing managed users, alerting them to log in and complete the setup of multi-factor authentication for their account.
  5. Use MFA to authenticate this change:
    • If you are already enrolled in the MFA, you need to authenticate the change using your chosen MFA method.
    • If you are not enrolled in any MFA, Box will send you a verification code by email. Use this code to authenticate.
  6. When you enter the correct code, your configuration or other changes are saved. If the code is incorrect, you receive an error message.

Note
When you enable multi-factor authentication for logins, people must log in again through the Box web app to set up the association with their mobile phone. If they do not first log into their account through the Box web app, they can't use any mobile device to access Box.

After the initial successful login, Box will remember the browser and you will not be prompted for MFA within the defined authentication frequency if you need to log in again. Only clearing the browser's cache and cookies will re-prompt MFA.

 

If Single Sign On (SSO) is enabled for your account, you will not be able to enable multi-factor authentication here because it is configured by your SSO provider. Go to Admin Console > Enterprise Settings > User Settings tab to access single sign-on settings. 

 

Note
When you enable and save this setting, Box sends email notifications to all of your existing managed users, alerting them to log in and complete the setup of multi-factor authentication for their account

 

If someone loses their phone or for some other reason cannot access the confirmation codes sent to their mobile device, you can exempt this individual from the multi-factor authentication requirement. Someone who's exempted is able to log in successfully with only their Box password.

 

Configuring 2-Step Login Verification for External Collaborators

After you enforce 2FA, external collaborators must enroll in 2FA with Box to access your enterprise's shared content. External collaborators who are already enrolled in 2FA with Box, or who are using an SSO provider to access their Box account, can continue to access the shared content.

Note

Making changes to your 2FA/MFA settings for external users is considered a "critical action" in the Admin Console, and for security reasons, requires MFA also for the Admin performing the action.

  1. Go to Admin Console > Enterprise Settings > Security.
  2. In the 2-Step Login Verification section, under External Users, click Configure.
  3. In the 2-Step Verification for External Collaborators dialog box, select whether to disable 2-step login, enable 2-step login for all external collaborators, or enable for or except for a defined set of external collaborators. If you enable 2-step login, also select when it will be enforced. For more details, see the 2-Step Verification section in Enterprise Settings: Security Settings.  
  4. Click Save
  5. Use MFA to authenticate this change, using the method described in Multi-Factor Authentication Required for Admin Console Critical Actions.
  6. At the top of the page, click Save.

The External Collaborator's Experience with 2FA for External Collaborators

It's important to know how 2FA affects external collaborators. When you enforce 2FA, external collaborators can have different experiences, as summarized in this table.

External collaborator Experience To gain access to shared content
Is enrolled in 2FA with Box Can access shared content if enrolled with required authentication method N/A
Uses SSO to log into Box Can access shared content N/A
  • Is not enrolled in 2FA with Box and does not use SSO
  • Previously collaborated on shared folders
  • Cannot access your enterprise's shared content
  • Can access all folders from outside of your enterprise
  • In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
  • Is not enrolled in 2FA with Box and does not use SSO
  • Is invited to a new collaboration
  • Cannot access your enterprise's newly shared content
  • Can access all folders from outside of your enterprise
  • In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
  • Does not have a Box account
  • Is invited to a new collaboration

Receives an invitation email to accept the collaboration invite by signing up for a new Box account

 

 
  1. Register for a new Box account
  2. In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.

 

Only users that do not have 2FA or SSO enabled for their accounts will receive the email notification. Users that already have 2FA enabled or are in an SSO-enabled or SSO-required EID will not receive the email notification to set up 2FA.

The Managed User's Experience with 2FA for External Collaborators

Note
 Content owners that have active collaborations with external collaborators receive an email notification about the external collaborator accepting (again) the collaboration as they enable 2FA on their account.

Under the hood, turning on 2FA for External Collaborators will flip any file or folder collaborations with an external user who do not already has 2FA set up in a "pending" state. Once they turn on 2FA on their account, it automatically accepts all collaborations again from your enterprise, which in turn sends out invitation acceptance emails to those content owners.

Further, if your enterprise turns on 2FA, then subsequently decides to disable 2FA, any collaborators who'd been moved into a pending status remain as pending and have 30 days to accept the invitation before it expires.

This can be a large number of emails depending on the number of external collaborators your users may be collaborating with and we would advise to communicate about this policy enforcement to avoid confusion and review existing collaborations prior to enforcement.

Related articles