Agreed! Currently FIDO2 (aka Passkeys) works from Desktop Operating systems, however the Mobile app doesn't support it. In our efforts to be 100% phishing resistant, we really want Box to prioritize changes to the Mobile App to support FIDO2.

Box only supports MFA and TOTOP options for 2FA external users. There is a need for FIDO2 (phising-resistant) requirements as an option for external sharing.

This process is not only secure but also user-friendly. There's no need for users to remember extra passwords or carry around additional hardware tokens. There is no need to install additional software; all the major browser support this out of the box. The device and browser do all the heavy lifting.

Per the updated guidelines from the National Institute of Standards and Technology (NIST), the requirement is that internal users must use phishing-resistant MFA, while external users should be given the option to use such a method. While TOTP and SMS codes provide an extra layer of security, they can be susceptible to phishing attacks and thus are not considered phishing-resistant and as such do not meet the requirement.

I'm wondering if Box would consider adding the YubiKey as an option for MFA - https://www.yubico.com/why-yubico/

any news on this? this is extremely important, especially with fraud/cybercrime going rampant.

With the broader support of passkeys , I would like to suggest a phishing resistant WebAuthn based Authentication option for Box.

This would open up future possibilites for convenient and secure FaceID/TouchID/Yubikey/etc authentication.

Insurance companies are requesting it and I am sure all Box customers would benefit.

Yubikey integration with Box MFA without SSO

I doing a trial of Box right now. Not being able to use Yubikeys with accounts unfortunately means our company will not be able to use this platform. Bummer because I've been able to sell the benefits of Box to my colleagues.

Why does this retain a not planned status? TOTP is not a secure option; a TOTP key can be stolen without the user's knowledge, allowing someone else to be generating the exact same codes as them. Hardware tokens mean the user either possesses it or they don't, so they know when they've been compromised.

This is still relevant and I would hope to see an update soon.

Hardware based tokens are such good value for companies when securing endpoints.

Hardware (& Software) Security Key Support
e.g. YubiKey, etc.

With all the recent sim swapping, sms & TOTP authentication apps on the phone are unsecure. Without the ability to use a hardware key, I'm going to have to find a more secure platform for my data.

The future is now, why wait to make it more secure?

So far there is no option of hardware security, like Yubico/ Yubikey or similar security keys that require physical identification (I have just checked with your service). SMS code/confirmation is a poor alternative. Please consider option to use USB computer security keys (Dropbox has it, so stay in line with competion, as you are much better!) https://www.yubico.com/works-with-yubikey/join/

I love Box and it works very well for my team. Unfortunately, unless we can get 2-factor authentication via something like Google Authenticator or Yubikey, our auditor will require us to stop using Box. I have about 2 months before I will be forced to end our use of Box. Please give us this option NOW!

For the topic creator, if you have an enterprise account, you can tie it into someone else's multi-factor authentication system, such as Duo, Okta, etc. where you can enforce the 2fa on their side, with proper hardware tokens. I'd prefer to see it native too, but just throwing it out there as an option in case you do have an enterprise Box account.

Given that Box charges a premium for an "ITAR-compliant" storage solution, one would think that something as basic as strong 2FA (which SMS is NOT) would be a no-brainer. I was actually shocked after finding out that it is not available - even for your corporate customers.

SMS = Joke