External 2FA - use email instead of SMS
2FA for external users - have the option to have the second factor email instead of text. Or give the option for either text or email.
This feature is available. Let us know if you need more details on enablement.
My customer would like to lower the risk by enforcing free external users with their company's email (see scenario below) to 2FA by email. The reason behind is if email@example.com leaves the company, he/she can still access to the collaborated folder(s) even though the email is deactivated by the company.”
This is a great idea. Just because SSO integration is a better alternative, doesn't mean that companies can afford (or know how) to implement this. This is a very basic feature that should have been available literally a decade ago.
We also have external clients overseas that are unable to log in currently because of not having a phone.
This should be a high-priority implementation.
AdminS.K. (Admin, Box) commented
My customer would like to lower a risk by enforcing free external users with their company's email (see scenario below) to 2FA by email. The reason behind is if firstname.lastname@example.org leaves company, he/she can still access to the collaborated folder(s) even though the email is deactivated by the company.
Enforcement of which configured second factor is also desirable (ie. For enforcement of 2FA on collaborations, ability to specify which second factor is configured)
This also is critical for our continued use of the service.
This matter is of great urgency to me. I love Box and it works well for my team. But our auditor will require us to stop using Box if we can't do 2-factor authentication through something like Google Authenticator or Yubikey. If this can't happen within two months, I will be forced to end our use of Box.
Duo Mobile is used for corporate accounts, can you please add the option to non-federated personal accounts?
Wes Croker commented
Adding my .02... Please add additional 2FA options. And don't just stop at email, because that's really not a great 2FA solution either. Give us the ability to use an OTP generator, like Google Auth, Authy, etc.
And to echo what someone said below, allowing the enforcement of outside collaborators to require 2FA to view the content would be super handy.
Literally every other service offers 2FA over an OTP Generator. Dear Lord. Get with the times.
Admin Admin commented
Hi - I'd like to cast my vote for having something other than SMS as an option for two-factor authentication. Using an authenticator app like Google Auth, Authy, or 1Password is impossible in the current setup. Furthermore, SIM hijacking is a common problem and a potential security vulnerability. I am very surprised an $2.4B dollar, public, enterprise-grade company does not have this already.
Bryce Williams commented
I "eleventh" this request. We've recently taken a "pulse" of our user community, and there are quite a few issues with limiting our audience to a mobile-number dependent option. Among them privacy concerns when it's a personal device, and even laws related to use of a personal device for work purposes. So at least having an email option to support would help provide some additional flexibility. Thx.
Need 2FA for managed users and external collaborators that has the following ways to verify access:
1) Common Access Card (CAC)
Sierra Noe commented
As a non-SSO Box user, we have enabled 2 Factor Verification for all of our Box users for additional security.
However, we have users overseas that do not have cell phones to receive their verification code sent by text. Are there plans to allow users to receive their verification code via email?