Help shape the future of Box
Welcome to Box Pulse, our product feedback tool powered by UserVoice. Got an idea for how to improve Box? Share it with us and gather support or vote on other people's ideas. Your feedback is essential to informing roadmap decisions and shaping the future of our products. Thanks for joining our community!
See user guide here.
384 results found
-
MFA Excluded User List Needed
MFA Excluded User List Needed - if a user has to switch MFA devices, as of now the Admin would need to globally turn MFA off for everyone, also an admin might need to setup a box account and login as a user (say using lastpass) before the hire date, thus they need to be on an exclusion list until they start, additionally automated processes might need a login that would be excluded from MFA needs direclty within box, thus the requirement for an exclusion list for MFA that is freely adjustable.
5 votes- We will soon have the ability to download back up codes that can be used in case you don't have access to your MFA device.
- Certain Box plans have the ability to exempt specific users from MFA.
- We do have this exclusion list for external users.
Given these, we don't have plans to add an exclusion list for managed user MFA at this point.
-
Secure open link - Domain white list for open shared link
This request is an idea that will become possible after the following requests are realized.
Secure open link① - Require email address verification with one-time password
https://pulse.box.com/forums/909778-help-shape-the-future-of-box/suggestions/43755942-secure-open-link-require-email-address-verifica【Summary】
Please add "Allow only email addresses from specific domains to receive one-time passwords" to the Open Link settings.
This will make it possible to prevent secondary distribution and miscommunication, which is a huge issue for Open Link.【Issues to be solved】
Current Open Link is not secure enough as an alternative to attachments.
Compared to attachments, the ability to determine the information of the access source and the ability to block access…13 votes -
Restrict day of week and/or times when licensed users can authenticate into Box
Allow admins the option to restrict which days of the week and/or time of day is allowed for licensed users to authenticate into Box, individually and/or as part of a role/Box Group. This would be helpful for multiple use-cases. Restricting Box access at specific times can assist with ensuring compliance with wage and hour laws, limiting changes that can be made in Box to times when staff will be available to respond and/or address changes, and limiting access during periods where access is not expected or desired by the licensing organization helping to better secure Box content.
1 vote -
Add a new permissions category - Upload download and view only
Permission to upload download and view only
o Not edit or delete2 votes -
Modify session duration across all plans
A 14 day session duration is a highly unnecessary security risk for any organization working information with any level of sensitivity. Please open up the ability to reduce this to any paid plan, rather than only the Enterprise plan. It feels like a very minor thing compared to the more complex feature sets and automation that otherwise distinguish the plans. It was sub-optimal, but somewhat acceptable, to not be able to reduce this when the default was 48 hours, but it's really concerning to not be able to do so now that the default has been made so much longer.
1 vote -
3 votes
-
Auto-logout all sessions on password change
Automatically logout all sessions (desktop & mobile) if you change the password on your individual account.
3 votes -
4 votes
-
Please make the login form as one step
Now the login form have two steps - at first step I need to fill login, then press "Next" button (for what?), fill my password, press "Log in".
This type of login form brings problems with auto-filling credentials by most of browser plugins.
Please remove the surplus useless step with pressing "Next" in login form, to allow fill login and password in one page, using "Tab" button (or auto-fill plugin), like in most of other websites.
3 votes -
Box Relay: Remove Collaborators and Shared Links
We would like the ability to use Box Relay to automatically remove all Collaborators and Shared Links from a folder and all of the sub-items within that folder.
This functionality would be used to secure company files when an employee is off-boarded and ideally this process would be generated by placing a folder within another folder.1 vote -
Child Sexual Abuse Material
Apple's recent announcement of measures taken to improve child safety (https://www.apple.com/child-safety/) have raised an important concern about content stored in Box and what measures we can take as an enterprise to address it. While there does not appear to be anything that we can do at this point, perhaps adding a feature in Shield that provides MD5 pattern matching (similar to known malware scanning) that would allow administrators to be alerted when this kind of material shows up in their Box instance.
Background on the issue: https://www.missingkids.org/theissues/csam
2 votes -
End to end encryption for storage and shared links
End-to-end encryption (E2EE) is one of the most popular security trends lately, and if Box offered this functionality, it would be very popular, especially for audiences who have a strong affinity for privacy and cryptography.
2 votes -
Cryptographic Erasure
Following NIST 800-88, we need the ability to 'destroy' certain high sensitivity data. Cryptographic Erasure is one of the options, basically encrypting the data and then losing the key. Until then, certain research projects and grants that require data destruction or DoD level erasure (and we are seeing lots of boilerplate contracts with that requirement) will not be hosted in Box.
1 vote -
Extension of the "Auto-Delete" Period
The BOX "auto delete" function for folders must accept a period of 100 years. It is currently limited to 85 years and I need to keep some HR files for a period of 100 years by definition of control and security. I request the extension of the term from 85 years to 100 years.
3 votes -
2 factor authentication
Just been chatting with the support guys ... When turning on 2FA, the first log in prompts for the auth code. However, every login after that drops back to just asking for username/password. (unless you clear your browser down every time !)
for 2fa to be effective, the system should ask for the auth code at every login otherwise there is no point in enabling it.
7 votes -
Security Logs to add changes to Device Trust requirement settings
We would like to see in security logs to add changes to Device Trust requirements settings and possibly to get notifications for when certain enterprise settings are modified.
4 votes -
Set "SSO Required"/"SSO Enabled" for each user
The current "SSO Required" is for all managed users.
When creating "administrator user and general user" as a managed user, there are the following problems.
-It is necessary to create an administrator user ID on the IdP side.
-When accessing as an administrative user, it takes time and effort to log in from the IdP and access Box.
-A license fee will also be charged on the IdP side.If we can set "SSO required" and "SSO enabled" for each user, the problem will be solved.
14 votes -
Ability to whitelist files(sha1) from virus detection
Please consider to have an option to add whiltelist of files (sha1) so that it won't be show up as an unsafe file from virus scanning.
2 votes -
SSO exception
Ability to have exceptions for SSO for specific amdin accounts/test users. Use case: there's a series of admin accounts we use that own folders/content in Box but aren't actual users. Now when we want to turn on SSO - we now have to have OKTA accounts for those accounts and test users, when we'd prefer to just do Box 2FA for those vs. SSO enabled for all
30 votesUnfortunately this is not on the near-term roadmap, that being said this is a very interesting request which we may consider in the mid-long term.
-
Separate Device Trust settings for webapp on mobile browser vs desktop browser
We want to have a separate Device Trust setting for webapp on mobile browser and desktop browser. We would like to enable Device Trust for mobile browser only (that is, block webapp on mobile browser) while not requiring Device Trust check for login from desktop PCs. Currently, there is only a single setting for webapp and 3rd party apps. We would like this to be more granular and have a separate config for mobile browser and desktop browser.
3 votes
- Don't see your idea?