Add hardware token security for 2FA
Yubikeys and similar devices allow for hardware token security and are highly recommended. We want to implement it across devices (ipad, iphone, android, MacOS, Windows) and this must include Box
SMS 2 factor is considered very hackable and has been hacked many times.
How can we use Yubikeys with Box.com ? What are your plans on this?
We now have the ability to use TOTP for 2FA. In addition, admins can enforce TOTP for managed/external users.
We do want to support FIDO standards for 2FA in the future and will update this idea with more details once we have a concrete plan.
I doing a trial of Box right now. Not being able to use Yubikeys with accounts unfortunately means our company will not be able to use this platform. Bummer because I've been able to sell the benefits of Box to my colleagues.
Colo Host commented
Why does this retain a not planned status? TOTP is not a secure option; a TOTP key can be stolen without the user's knowledge, allowing someone else to be generating the exact same codes as them. Hardware tokens mean the user either possesses it or they don't, so they know when they've been compromised.
This is still relevant and I would hope to see an update soon.
Hardware based tokens are such good value for companies when securing endpoints.
With all the recent sim swapping, sms & TOTP authentication apps on the phone are unsecure. Without the ability to use a hardware key, I'm going to have to find a more secure platform for my data.
The future is now, why wait to make it more secure?
I love Box and it works very well for my team. Unfortunately, unless we can get 2-factor authentication via something like Google Authenticator or Yubikey, our auditor will require us to stop using Box. I have about 2 months before I will be forced to end our use of Box. Please give us this option NOW!
Colo Host commented
For the topic creator, if you have an enterprise account, you can tie it into someone else's multi-factor authentication system, such as Duo, Okta, etc. where you can enforce the 2fa on their side, with proper hardware tokens. I'd prefer to see it native too, but just throwing it out there as an option in case you do have an enterprise Box account.
Michael Natkin commented
Given that Box charges a premium for an "ITAR-compliant" storage solution, one would think that something as basic as strong 2FA (which SMS is NOT) would be a no-brainer. I was actually shocked after finding out that it is not available - even for your corporate customers.
SMS = Joke