Title: 2FA – Session Level NOT Machine Level
After enabling 2FA:
Quit Safari (v14.0.3) (Cmd+Q)
Navigate to account.box.com/login
Login without 2FA (2FA enabled)
As a separate test, I also removed my Safari session from Box security, quit Safari (Cmd+Q), opened Safari and was able to login without a 2FA credential.
When a user removes an active session (or saved login location), any new login attempts should be seen as a new computer, and thus prompt for the credentials setup by the user logging in.
I was able to get Box to prompt for 2FA after manually removing all of the website data associated with Box.com – this type of security data should be managed centrally by Box, not maintained on your end-user’s machine as this effectively leaves your end-user computer without 2FA if they have logged in even 1 time before.
Further, after enabling 2FA for the first time, I think it would be reasonable to assume Box would prompt you for it at the next login – every other website does.
Admingamara (Admin, Box) commented
Posting this on behalf of a Customer