Skip to content

What problem could Box solve for you?

← Help shape the future of Box

Proper 2-factor authentication with TOTP not SMS

Using SMS for 2-factor authentication is oudated and insecure. Using TOTP is an industry standard and should be implemented.

20 votes
Anonymous shared this idea  ·   ·  Report…  ·  Admin →
Comments are closed An error occurred while saving the comment
  • Anonymous commented  ·   ·  Report

    This definitely needs to be prioritized higher where an admin can enforce TOTP from Enterprise Settings. Allowing only 2FA SMS is outdated and insecure. Now I have to chase our two dozen employees to make sure they enable TOTP from their user accounts. Thank goodness the company is still small otherwise I would consider an alternative product. Please expedite this feature.

  • Anonymous commented  ·   ·  Report

    2-factor authentication: please set up an alternative to Text Message setup. This is a business. We do not have Text Messages nor Cellphones. Therefore, we were unable to set up two-factor authentication. We are unable to view Business documents from our client. We attempted entering our Business Phone Number and never received an alternative phone call.
    Then in your Box Tech Support, the rep stated "Unfortunately, we don't currently offer the feature you asked about. Our Product team is constantly looking for ways to improve Box based on user feedback. I can forward your suggestion on to them for consideration."

  • Jane Lee commented  ·   ·  Report

    Allow Authenticator App for 2FA instead of SMS such as Google Authenticator, Microsoft Authenticator, Duo, or any other authenticator application that is more secure than SMS text codes.

  • Anonymous commented  ·   ·  Report

    The recent enforcement of 2FA for Box Zones carries some potential security issues because Box uses SMS-based 2FA and does not allow the use of an SSL-encrypted token application (e.g. Google Authenticator, Duo Mobile, Microsoft Authenticator). SMS-based MFA is known to be insecure because SMS messages are unencrypted and can be intercepted by attackers. Microsoft made an announcement last week urging companies to completely abandon SMS-based MFA tokens. However, the cybersecurity industry has known of the weakness of SMS MFA for some time. Is there any push from Teradyne on Box to enable the use of token applications for MFA rather than relying on insecure SMS messages? This is especially of importance because Box is used to store sensitive ITAR/CUI customer data.

  • Anonymous commented  ·   ·  Report

    TFA must be done via an app. Using SMS is antiquated and high risk. It's amazing that Box even continues to use SMS TFA.

Help shape the future of Box: Security

Categories

Feedback and Knowledge Base

(thinking…)

By entering and viewing this page, you agree to be bound by (1) UserVoice Terms of Service and the (2) Box Community Terms of Use. In the event of a direct conflict between the foregoing terms of service with respect to the Box Community Guidelines, Feedback and Suggestions, the Box Community Terms of Use shall take precedence as between you and Box.