Allow Google Authenticator for 2FA instead of SMS.
We are happy to share that this feature is on our roadmap for second half of this year.
I honestly cannot believe this isn't a thing. Not only is SMS 2FA the single worst 2FA you could employ, it doesn't even work. I literally could not log in because the code sent to me isn't correct. No matter what, it never is. Congrats! I've had to disable it to be able to log in at all.
I don't care whether this is "on roadmap", it should be accelerated to _now_ because I can't even log in anymore with 2FA.
Onur Olmez commented
Box recently suffered from a severe outage related to 2FA (which currently employs SMS-based tokens): https://status.box.com/incidents/qdzfdkkqrs26.
For the reason, if cellular carriers make changes to their network or suffer an outage, this is completely out of Box's control and renders the 2FA service unusable, thus locking out customers who have it enabled on their accounts.
Enabling TOTP-based 2FA (like using an app such as Authy) as an alternate method would help solve this issue in the future.
See this thread for support as well: https://community.box.com/t5/Web-App-Forum/FEATURE-REQUEST-Integrate-Google-Authenticator-for-2FA/m-p/85627
First joined in 2013, 7 years later SMS stopped working and no real 2-factor authentication!
Almost 3 years after the original post was published, and 8 months after it was updated to "Under consideration". No updates from Box since. They don't care about their customers' security concerns, I'm moving to a different service.
Christof Weber commented
I love Box and it works great for our team. However, unless 2-factor authentication can be done through something like Google Authenticator or Yubikey, our auditor will require us to cease using Box. I have about two months left before I will be forced to cease using Box. Please please please make this happen ASAP!
Thomas U. commented
It's unacceptable to not offer an alternative for 2-Factor Authentication via SMS.
Why isn't it possible to use SMS, or, if this method doesn't work, to use an Authenticator App or a one-time recovery key, or some more phone numbers.
That's really poor and prevents me from going to a paid plan.
Having just signed up for a Box account because an organization I do business with uses it. I was shocked that non-SMS 2FA wasn't supported in this day and age. SMS isn't secure enough. I advised them they should search for another online storage provider, especially since they share financial records with clients through Box.
Wow! We are 1 year away from the 15th anniversary of Box.com's founding in 2005, and yet here we are - still with no TOPS two-factor authentication option such as Google Authentication, Symatec VIP Access, Authy, etc., etc., etc., etc.. Will Box ever take it's users request seriously and stop sending responses, like the one below, year after year after year? It is time Box finally entered the twenty first century when it comes to cyber security.
01-18-2019 05:32 AM
Re: FEATURE REQUEST: Integrate Google Authenticator for 2FA Authentication
Thanks for your post and feedback!
We appreciate you following up on this product feature request. Currently, this is not a feature that is available in Box, but this idea has been submitted to our team.
You can check it here. Up vote this idea and if you want to add more to the feedback from this chain, comment your use case and the reason how this will help you and your organization.
Thanks for your time in the Community and appreciate your help!
I would love for this to be available as well. I am living in Asia and using Box along with the SMS 2FA is time-consuming because I have to wait for at least 10 minutes or more sometimes for the 2FA SMS to arrive. Occasionally I work at locations where there are simply no strong signals available and thus I would be unable to log into my account.
Michael Natkin commented
I echo all of the other concerns. SMS 2FA is not secure. You really need to do better on this. MS Authenticator or Google Authenticator are a much better option (I'd prefer Yubikey, but these could pass for now).
Eugène Fournier commented
As mobile phone radiations are very toxic for health, I now only use my phone with a wired connection, so I don't receive SMS anymore. SMS belongs to another age. So to connect healthy to Box, I need to connect to my phone with TeamViewer and turn off the offline mode, very annoying ! So yes, please activate the Google Authenticator or Authy tokens as nearly all other web services currently do.
Thanks and kind regards,
Well, external 2FA has been released. Where is the reconsideration?
Emily RF commented
Why Box doesn’t have a 2FA “one time password” setup, or other authenticator affiliation? Why does 2FA have to be associated with a cell phone? What if someone’s phone is lost, or is in the other room or something like that? (I speak first hand on this experience and how frustrating and infuriating it was when my phone was stolen and I couldn’t access half my stuff because of 2FA affiliated with my mobile number. Also, it’s just not that secure anymore.) It would be really great to have the 2FA setup in my 1password account with the one-time password.
Is there a way to prioritize this, and inform your users with a planned rollout? We too have some issues with GDPR since we deal with some multinational clients and to have this added layer of security would bring peace of mind.
Hi Box team. My company is one of your Multinational customers. We need 2FA to adhere to our international Security Audit Policies. Microsoft and Google Authenticator are a requirement.
Alfredo Gomez commented
Google Authenticator or Microsoft Authenticator need to be added to available options for 2FA. SMS is outdated and not secure.
NIST actively recommends avoiding SMS as a second factor. SMS messages are carried over 1980's era SS7 networks that have no encryption or authentication. Your current 2FA offering is not only NOT best-in-class, it is not considered secure by experts.
From a security perspective, this is disgraceful. How can you pride yourselves on security but only provide SMS 2FA? This should have been implemented years ago.
Most systems now authenticate with google making life easy and secure - Keep Up Box!
I really hope this gets pushed through soon and that it won't come down to a company getting hacked.