Product Guides will soon move to a new site. Check out all the details on what's changing.

Box Status
Print

Configuring Multi-Factor Authentication

has_image , Admin , 2fa , Article , New , Instruction , Secure

Box multi-factor authentication (MFA), sometimes known as two-factor authentication (2FA), enables you to increase your content security and better protect your enterprise's content from unauthorized external access. It requires users to periodically authenticate with more than one method when they log in to Box. You can enable or disable multi-factor authentication for:

  • All of your organization's managed users
  • All of your organization's external collaborators, or just for specific external collaborators based on their domains or their email addresses

This topic describes how to configure multi-factor authentication for your managed users and for your external collaborators.

Note

Making changes to your multi-factor authentication settings for managed users is considered a "critical action" in the Admin Console. For security reasons it is restricted to Admins, who must complete their own MFA to proceed. Co-admins are limited to read-only access for these settings.

Configuring Multi-Factor Authentication for your Managed Users

  1. Go to Admin Console > Enterprise Settings > Security.
  2. In the Multi-Factor Authentication section, enable Require multi-factor authentication for all managed users. If SSO Required is turned on, this setting will be hidden. 
  3. Configure the Authentication Method and Authentication Frequency. See the Multi-Factor Authentication section in Enterprise Settings: Security Tab for details. 
  4. Select Save.
    When you enable and save this setting, Box sends email notifications to your existing managed users if SSO is in test mode and users do not have MFA enabled. This alerts them to log in and complete the setup of multi-factor authentication for their account.
  5. Use MFA to authenticate this change:
    • If you are already enrolled in the MFA, you need to authenticate the change using your chosen MFA method
    • If you are not enrolled in any MFA, Box will send you a verification code by email. Use this code to authenticate
  6. When you enter the correct code, your configuration or other changes are saved. If the code is incorrect, you receive an error message.

Note
When you enable multi-factor authentication for logins, people must log in again through the Box web app to set up the association with their mobile phone. If they do not first log into their account through the Box web app, they can't use any mobile device to access Box.

After the initial successful login, Box will remember the browser and you will not be prompted for MFA within the defined authentication frequency if you need to log in again. Only clearing the browser's cache and cookies will re-prompt MFA.

If Single Sign On (SSO) is enabled for your account in Required Mode, you will not be able to enable multi-factor authentication here because it is configured by your SSO provider. Go to Admin Console > Enterprise Settings > User Settings tab to access single sign-on settings. MFA will still be available if SSO is configured in Test Mode. See Setting up Single Sign-On for more information. 

Note
When you enable and save this setting, Box sends email notifications to all of your existing managed users, alerting them to log in and complete the setup of multi-factor authentication for their account.

If someone loses their phone or for some other reason cannot access the confirmation codes sent to their mobile device, you can exempt this individual from the multi-factor authentication requirement. People who are exempt are able to log in successfully with only their Box password.

Configuring 2-step login verification for external collaborators

After you enforce 2FA, external collaborators must enroll in 2FA with Box to access your enterprise's shared content. External collaborators who are already enrolled in 2FA with Box, or who are using an SSO provider to access their Box account, can continue to access the shared content.

Note

Making changes to your multi-factor authentication settings for managed users is considered a "critical action" in the Admin Console. For security reasons it is restricted to Admins, who must complete their own MFA to proceed. Co-admins are limited to read-only access for these settings.

  1. Go to Admin Console > Enterprise Settings > Security.
  2. In the Multi-Factor Authentication section, under External Users, select Configure or Edit Configuration
  3. In the 2-Step Verification for External Collaborators dialog box, select whether to disable 2-step login, enable 2-step login for all external collaborators, or enable for - or except for - a defined set of external collaborators. If you enable 2-step login, select when it will be enforced. For more details, see the External Collaborators section in Enterprise Settings: Security Tab.
  4. Click Save
  5. Use MFA to authenticate this change, using the method described in Multi-Factor Authentication Required for Admin Console Critical Actions.
  6. At the top of the page, click Save.

The External Collaborator's experience with 2FA for External Collaborators

It is important to know how 2FA affects external collaborators. When you enforce 2FA, external collaborators can have different experiences, as summarized in this table:

External collaborator Experience To gain access to shared content
Is enrolled in 2FA with Box Can access shared content if enrolled with required authentication method N/A
Uses SSO to log into Box Can access shared content N/A
  • Is not enrolled in 2FA with Box and does not use SSO
  • Previously collaborated on shared folders
  • Cannot access your enterprise's shared content
  • Can access all folders from outside of your enterprise
  • In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the Files page, or from the Account Settings page.
  • Is not enrolled in 2FA with Box and does not use SSO
  • Is invited to a new collaboration
  • Cannot access your enterprise's newly shared content
  • Can access all folders from outside of your enterprise
  • In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the Files page, or from the Account Settings page.
  • Does not have a Box account
  • Is invited to a new collaboration

Receives an invitation email to accept the collaboration invite by signing up for a new Box account

 

 
  1. Register for a new Box account
  2. In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the Files page, or from the Account Settings page.
 
When the setting is on, 2FA times out every 30 days for external collaborators. As a result, if an external collaborator does not authenticate with 2FA for 30 days or longer, they are challenged with 2FA next time they try to log in. If the external collaborator is a managed user of another enterprise that has a 2FA timeout of less than 30 days for managed users, they will need to complete 2FA verification sooner as a result.
 

Email Notifications when setting up 2FA for External Collaborators

Email notifications will be sent if:

  • Users’ EIDs have SSO in Test Mode and users do not already have 2FA enabled, or
  • Users’ EIDs do not have SSO set up and users do not already have 2FA enabled

Email notifications will not be sent if:

  • Users are in an SSO-Required EID, and/or
  • Users already have 2FA

The Managed User's experience with 2FA for External Collaborators

Content owners who have active collaborations with external collaborators receive an email notification about the external collaborator accepting the collaboration as they enable 2FA on their account. This is only relevant where SSO is in Test Mode, as external collaborators who are using an SSO provider in Required Mode can continue to access the shared content. 

Under the hood, turning on 2FA for External Collaborators will flip any file or folder collaborations with an external user who does not already have 2FA set up in a "pending" state. Once they turn on 2FA on their account, it automatically accepts all collaborations again from your enterprise, which in turn sends out invitation acceptance emails to those content owners.

If your enterprise turns on 2FA, then subsequently decides to disable 2FA, any collaborators who had been moved into a pending status remain as pending and have 30 days to accept the invitation before it expires.

This can be a large number of emails depending on the number of external collaborators your users may be collaborating with. We would advise to communicate about this policy enforcement to avoid confusion, and review existing collaborations prior to enforcement.

Related articles