External collaborator bypassing 2FA
I have an external user (with Viewer Uploader permission) that says that she is able to log in using a favorites link and never is prompted for 2FA. She was invited to our space in Oct '21 so she had an established account prior to our enforcement of 2FA.
We made the settings below in our admin console in Nov '21:
Enabled for all external collaborators and the configuration tab has
Authentication Method
Text message (SMS) or Authenticator app (TOTP)
Requirement Level
Enable for all external collaborators
I've run a report to verify that we have no shared links with edit permissions.
How is she able to bypass the 2FA requirement?
-
Hi Bryan,
Welcome to the Box Community, I'm happy to help!
It's likely the external user already have 2FA enabled or could be using SSO before you even implemented it as a requirement to external users you are sharing contents with. Take a look at this article and the table below for the expected behaviour when enforcing 2FA for external collaborators: https://support.box.com/hc/en-us/articles/360044195853-Configuring-Two-Step-Login-Verification
When you enforce 2FA, external collaborators can have different experiences, as summarized in this table.
External collaborator Experience To gain access to shared content Is enrolled in 2FA with Box Can access shared content if enrolled with required authentication method N/A Uses SSO to log into Box Can access shared content N/A - Is not enrolled in 2FA with Box and does not use SSO
- Previously collaborated on shared folders
- Cannot access your enterprise's shared content
- Can access all folders from outside of your enterprise
- In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
- Is not enrolled in 2FA with Box and does not use SSO
- Is invited to a new collaboration
- Cannot access your enterprise's newly shared content
- Can access all folders from outside of your enterprise
- In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
- Does not have a Box account
- Is invited to a new collaboration
Receives an invitation email to accept the collaboration invite by signing up for a new Box account
- Register for a new Box account
- In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
Let me know if you have questions, and I would be more than happy to help!
Regards,
Post is closed for comments.
Comments
1 comment