Proper 2-factor authentication with TOTP not SMS
Using SMS for 2-factor authentication is oudated and insecure. Using TOTP is an industry standard and should be implemented.
This definitely needs to be prioritized higher where an admin can enforce TOTP from Enterprise Settings. Allowing only 2FA SMS is outdated and insecure. Now I have to chase our two dozen employees to make sure they enable TOTP from their user accounts. Thank goodness the company is still small otherwise I would consider an alternative product. Please expedite this feature.
2-factor authentication: please set up an alternative to Text Message setup. This is a business. We do not have Text Messages nor Cellphones. Therefore, we were unable to set up two-factor authentication. We are unable to view Business documents from our client. We attempted entering our Business Phone Number and never received an alternative phone call.
Then in your Box Tech Support, the rep stated "Unfortunately, we don't currently offer the feature you asked about. Our Product team is constantly looking for ways to improve Box based on user feedback. I can forward your suggestion on to them for consideration."
Jane Lee commented
Allow Authenticator App for 2FA instead of SMS such as Google Authenticator, Microsoft Authenticator, Duo, or any other authenticator application that is more secure than SMS text codes.
The recent enforcement of 2FA for Box Zones carries some potential security issues because Box uses SMS-based 2FA and does not allow the use of an SSL-encrypted token application (e.g. Google Authenticator, Duo Mobile, Microsoft Authenticator). SMS-based MFA is known to be insecure because SMS messages are unencrypted and can be intercepted by attackers. Microsoft made an announcement last week urging companies to completely abandon SMS-based MFA tokens. However, the cybersecurity industry has known of the weakness of SMS MFA for some time. Is there any push from Teradyne on Box to enable the use of token applications for MFA rather than relying on insecure SMS messages? This is especially of importance because Box is used to store sensitive ITAR/CUI customer data.
E. Brooke Whitaker commented
TFA must be done via an app. Using SMS is antiquated and high risk. It's amazing that Box even continues to use SMS TFA.