As part of Box’s ongoing effort to better protect admins against bad actors, we have implemented additional multi-factor authentication (MFA) requirements before performing certain critical actions in the admin console. We’re now adding another critical action to the list, requiring additional verification before adding or removing a domain. This new restriction will help mitigate the threat of unauthorized user access, phishing or other social engineering attacks, and bypassing domain verification stemming from bad actors maliciously adding new approved domains using a compromised admin account.
Since the damage caused by compromised admin credentials and permissions can be so much higher than that of a regular user, we continue to implement additional protections to secure our critical Box admin users. Previously, we have released zero trust protections that limit bad actor’s ability to create new admin accounts using compromised admin credentials, and added MFA checks for:
-
Changing MFA requirements for the organization
-
Enabling or disabling Single Sign-On (SSO) for the organization
To learn more about Multi-Factor Authentication at Box account, look here.