I would like specific instructions on the best process to share a file containing sensitive information with an outside partner. Is it best (most secure) to invite them as a collaborator? Can I require an external collaborator to use MFA to access our Box content? Is it better to use a shared link, which is open to everyone one, but can be password protected and have an expiration date. There is a lot of Box propaganda (blog posts) about encryption and it being a secure way to share files, but no specific - step-by-step instructions to share sensitive files using best practices.
Solved
What is the most secure way to share a sensitive file with external collaborators?
Best answer by jamesduncan-box
Hi
Thanks for your question, this is certainly a very relevant and important topic. Please see my feedback and suggested steps below:
- Best practice for sharing sensitive files with an outside partner: invite the partner as an external collaborator on a folder (or file-level collaborator) rather than sending an open shared link. Collaboration gives you stronger, auditable, and persistent access control.
- Yes — you can require external collaborators to use two‑factor / 2‑step verification. Admins enable and enforce 2FA for external collaborators from Admin Console > Enterprise Settings > Security. External collaborators not enrolled will be blocked until they enroll.
- Shared links are convenient but inherently less secure when set to “People with the link”. You can add mitigations (password, expiration, restrict downloads, limit scope to “People in your company” or “Invited people only”), but an invited collaborator is safer for sensitive content.
Recommended workflow (step‑by‑step)
-
Decide where to host the sensitive file
- Create or pick a folder designated for external collaboration (separate root or a subfolder labelled clearly for external parties). Keep sensitive content higher or in protected folders as appropriate.
-
Use folder-level collaboration where practical
- Invite the external partner as a collaborator on the folder (or on the specific file if you want to limit scope). Invite by their Box-registered email. This makes the folder appear in their All Files and provides clearer, persistent access controls and auditability.
-
Require 2FA and strong passwords for external collaborators (admin step)
- From the Admin Console > Enterprise Settings > Security, enable “Require 2‑step verification for external collaborators.” Select the authentication method (Authenticator app (TOTP) is recommended). Optionally enforce immediately or schedule with notification. Also enable “Require strong passwords (for external collaborators)” if you want them to meet password criteria. External collaborators must enroll in 2FA before they can access your enterprise’s shared content.
-
Invite the user and confirm enrollment
- Invite the partner as a collaborator (Share > Add names or email addresses > Choose role). If your enterprise requires 2FA for external collaborators, the invitee will see content as blocked until they enroll; they can enroll via the pending invitations panel or Account Settings. Verify they completed enrollment before placing highly sensitive content.
-
Assign the least privilege role needed
- Choose the minimal collaborator role that enables required work (e.g., Viewer, Viewer Uploader, Editor, Co‑Owner). Use waterfall permission model: role assigned at a parent folder applies to subfolders; you can give higher access at a subfolder if needed by inviting separately.
-
Apply Shield / access policies (if available)
- If you have Box Shield, apply appropriate Shield Access Policy for Confidential content: restrict shared link scope to “Invited people only,” restrict downloads/printing for external users, enable watermarking, block integrations/downloads, etc.
-
If you must use a shared link, lock it down
- Prefer “Invited people only” scope. If you must use a link outside Box accounts:
- Do not use People with the link for sensitive info unless unavoidable.
- If using People with the link, enable Require Password and set a strong password, set an Expire Link date, turn off downloads if you want view‑only, and avoid custom public URLs. Administrators should set shared link defaults to “People in your company” to reduce accidental public links.
- Prefer “Invited people only” scope. If you must use a link outside Box accounts:
-
Use additional protections and monitor
- Enable exposed‑password detection and compromised credential blocks for external users if available. Use Shield, watermarking, and download restrictions. Run shared link reports regularly and review collaborations before large policy changes.
I hope that this is helpful.
1 - While there is not a “best practice” per se, by inviting them directly you CAN enforce MFA and also see file-level analytics for what it is they do with your data. I think this far outweighs the ease of just a shared link.
2 - Yes. In your enterprise settings, under the Security tab you can manage MFA for external collaborators. You can enable it for all external collaborators or just single domains.
3 - I would not use a shared link for sensitive information unless you are co-communicating for, say, a single-time download (e.g., I am on a call with you as I am sending you the link and then confirming you have it and then killing the link.) Any shared link (and accompanying password) can be redistributed without your knowledge.
Be excellent to one another...
Hi
Thanks for your question, this is certainly a very relevant and important topic. Please see my feedback and suggested steps below:
- Best practice for sharing sensitive files with an outside partner: invite the partner as an external collaborator on a folder (or file-level collaborator) rather than sending an open shared link. Collaboration gives you stronger, auditable, and persistent access control.
- Yes — you can require external collaborators to use two‑factor / 2‑step verification. Admins enable and enforce 2FA for external collaborators from Admin Console > Enterprise Settings > Security. External collaborators not enrolled will be blocked until they enroll.
- Shared links are convenient but inherently less secure when set to “People with the link”. You can add mitigations (password, expiration, restrict downloads, limit scope to “People in your company” or “Invited people only”), but an invited collaborator is safer for sensitive content.
Recommended workflow (step‑by‑step)
-
Decide where to host the sensitive file
- Create or pick a folder designated for external collaboration (separate root or a subfolder labelled clearly for external parties). Keep sensitive content higher or in protected folders as appropriate.
-
Use folder-level collaboration where practical
- Invite the external partner as a collaborator on the folder (or on the specific file if you want to limit scope). Invite by their Box-registered email. This makes the folder appear in their All Files and provides clearer, persistent access controls and auditability.
-
Require 2FA and strong passwords for external collaborators (admin step)
- From the Admin Console > Enterprise Settings > Security, enable “Require 2‑step verification for external collaborators.” Select the authentication method (Authenticator app (TOTP) is recommended). Optionally enforce immediately or schedule with notification. Also enable “Require strong passwords (for external collaborators)” if you want them to meet password criteria. External collaborators must enroll in 2FA before they can access your enterprise’s shared content.
-
Invite the user and confirm enrollment
- Invite the partner as a collaborator (Share > Add names or email addresses > Choose role). If your enterprise requires 2FA for external collaborators, the invitee will see content as blocked until they enroll; they can enroll via the pending invitations panel or Account Settings. Verify they completed enrollment before placing highly sensitive content.
-
Assign the least privilege role needed
- Choose the minimal collaborator role that enables required work (e.g., Viewer, Viewer Uploader, Editor, Co‑Owner). Use waterfall permission model: role assigned at a parent folder applies to subfolders; you can give higher access at a subfolder if needed by inviting separately.
-
Apply Shield / access policies (if available)
- If you have Box Shield, apply appropriate Shield Access Policy for Confidential content: restrict shared link scope to “Invited people only,” restrict downloads/printing for external users, enable watermarking, block integrations/downloads, etc.
-
If you must use a shared link, lock it down
- Prefer “Invited people only” scope. If you must use a link outside Box accounts:
- Do not use People with the link for sensitive info unless unavoidable.
- If using People with the link, enable Require Password and set a strong password, set an Expire Link date, turn off downloads if you want view‑only, and avoid custom public URLs. Administrators should set shared link defaults to “People in your company” to reduce accidental public links.
- Prefer “Invited people only” scope. If you must use a link outside Box accounts:
-
Use additional protections and monitor
- Enable exposed‑password detection and compromised credential blocks for external users if available. Use Shield, watermarking, and download restrictions. Run shared link reports regularly and review collaborations before large policy changes.
I hope that this is helpful.
Hey dmorton -
The first thing you should do, before sharing sensitive documents, is to go into your admin console and check your security settings alongside your legal, security, and IT teams (if applicable) - especially the sections Security and Content & Sharing. To get here go to Admin Console → Enterprise Settings (bottom of the left side bar) → “Security” and “Content & Sharing” (tab at top).
- Within Security, make sure to enable External 2FA.
- Within Content & Sharing:
- Shared Links:
- You can configure whether you allow shared links, whether shared links can be shared externally, how far reaching those shared links can be (collaborators only, anyone with link, etc), and default accesses for roles within shared links.
- Be sure to scroll down to Auto-Expiration. This section allows you to put an expiration timer on your shared links so they don’t float around forever.
- Collaborator Settings:
- You can choose what Roles are available - you’ll see what each role allows within the matrix in this section. You can also set a default role to avoid user error or maintain more control, as well as restrict invites, and more.
- Shared Links:
One thing I will mention as an aside is that you should take the time to go through all of these settings to ensure your enterprise is fully secured to your desired specifications - I’ve linked some courses from our Box University site at the bottom of my response which I highly encourage you to explore.
I cannot directly advise you on what your security settings should be since every enterprise has different needs, but based upon your desire to share sensitive information externally, here is my recommendation:
- Enable External 2FA
- When sharing with an external collaborator, I’d recommend adding a ‘Collaborator’ over a shared-link. Why:
- Collaborators can be managed and tracked with reporting.
- Permissions can be changed later on and the collaborator can even be deleted from the file at will.
- Flexibility to your needs: For example, if you do not want the content available for download from the external party, you can choose Previewer Uploader, Previewer, or Uploader roles.
My big asterisk here is that every enterprise is different, requires different compliances, regulations, and works with different levels of sensitive content. If you have a security team, IT team, or legal team, it’s important to loop them into these decisions as you set your security posture. My recommendation is generalized and based on my 3 years of experience working with customers at Box.
HELPFUL RESOURCES:
- Box University
- Defining your content and sharing settings
- Intelligent Content Management: Admin Fundamentals
- Admin Essentials: Deploying Box
Hope this helps!
Thanks for the responses. I didn’t realize you could enforce 2FA on external collaborators. That is a very helpful feature.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.