2 factor authentication
Just been chatting with the support guys ... When turning on 2FA, the first log in prompts for the auth code. However, every login after that drops back to just asking for username/password. (unless you clear your browser down every time !)
for 2fa to be effective, the system should ask for the auth code at every login otherwise there is no point in enabling it.
Brian K commented
I would also like MFA to be required at every login.
As of right now, if I have an external user trying to log into their free Box account, if they want to use the SMS option they cannot if they have already chosen the authenticator app option. When logging in a user should be able to choose one or the other as now, every time this happens we have to open a ticket and it turns into a huge hassle.
The whole purpose of MFA is to add more security to whatever the MFA is connected to. Currently Box does not require users to be prompted again for MFA once they have signed in successfully to that browser. This browser is now trusted until the cache is cleared. I believe there should be multiple options for MFA in which it can be kept like it is now or at least give admins the option to set it to every time, or after a certain amount of hours/days pass. Leaving it as it is now doesn't leaves the users box data vulnerable is a malicious actor gets onto their the users trusted machine and knows their box password. I know that would be a lot to have just those two but then the thing that should keep the malicious actor out is the MFA. This is even more important when it comes to clients with HIPPA compliance. Please make this happen.