MFA option to be TOTP or SMS or Email
When the MFA option is released currently the option is:
1. TOTP
2. TOTP or SMS or Email.
Can you make it a check list so we can enable the one we want?
For example, I only want TOTP and SMS.
Admintatsuhikoina
(Admin, Box)
shared this idea
-
Anonymous
commented
I see there are two options for 2FA Verification for External Collaborators. One is Authentication app, another one is Authentication app, Text Message (SMS) or Email. Our organization on longer considers Email MFA as a secured option. Once a malicious user gains access to an email account, they can perform a forgotten password action to gain a new password and then receive the two-factor code in the same email account. Also emails could be transmitted as unencrypted text depending on the setup.
Can Box please remove email MFA option for us? Also it will be great if FIDO option can be enabled for external users.
Thanks,
-
Anonymous
commented
we also need Email only option for the same security reasons
TOTP and SMS can be set to personal devices -
AdminAnonymous
(Admin, Box)
commented
Having the option to chose any of these three is VERY important. Here is an example of why forcing MFA EMAIL is important:
Here is the process:
1. Delta employees Tim
2. Tim shares a folder with Jane at Boeing
3. For security, the Delta admin required 2-step verification (Authenticator App, SMS or Email)
Jane chooses SMS b/c it’s faster and EMAIL was not forced.
4. Jane has access to the folder
5. Boeing terminates Jane
6. Tim has no idea Jane was terminated
7. Jane STILL has access to the Delta folder by logging into Box using her Boeing.com email even though she has been terminated from Boeing. Jane receives an SMS to authenticate since EMAIL was not forced. Jane is in Delta’s folder even though she does not work for Boeing any longer. -
Anonymous
commented
Yes! In our case, we need to enforce that external users can only use email for their 2FA.