External collaborator bypassing 2FA

Question

I have an external user (with Viewer Uploader permission) that says that she is able to log in using a favorites link and never is prompted for 2FA. She was invited to our space in Oct '21 so she had an established account prior to our enforcement of 2FA.
We made the settings below in our admin console in Nov '21:
Enabled for all external collaborators and the configuration tab has
Authentication Method
Text message (SMS) or Authenticator app (TOTP)
Requirement Level
Enable for all external collaborators

I've run a report to verify that we have no shared links with edit permissions.

How is she able to bypass the 2FA requirement?

community-manager · Answer

Hi Bryan,Welcome to the Box Community, I'm happy to help!It's likely the external user already have 2FA enabled or could be using SSO before you even implemented it as a requirement to external users you are sharing contents with. Take a look at this article and the table below for the expected behaviour when enforcing 2FA for external collaborators: https://support.box.com/hc/en-us/articles/360044195853-Configuring-Two-Step-Login-VerificationWhen you enforce 2FA, external collaborators can have different experiences, as summarized in this table.ExternalcollaboratorExperienceTo gain access to shared contentIs enrolled in 2FA with BoxCan access shared content if enrolled with required authentication methodN/AUses SSO to log into BoxCan access shared contentN/AIs not enrolled in 2FA with Box and does not use SSOPreviously collaborated on shared foldersCannot access your enterprise's shared contentCan access all folders from outside of your enterpriseIn the Box account window, set up 2FA from the pending invitations panel underACTION REQUIREDin theAll Filespage, or from theAccount Settingspage.Is not enrolled in 2FA with Box and does not use SSOIs invited to a new collaborationCannot access your enterprise's newly shared contentCan access all folders from outside of your enterpriseIn the Box account window, set up 2FA from the pending invitations panel underACTION REQUIREDin theAll Filespage, or from theAccount Settingspage.Does not have a Box accountIs invited to a new collaborationReceives an invitation email to accept the collaboration invite by signing up for a new Box accountRegister for a new Box accountIn the Box account window, set up 2FA from the pending invitations panel underACTION REQUIREDin theAll Filespage, or from theAccount Settingspage.Let me know if you have questions, and I would be more than happy to help!Regards,

External collaborator	Experience	To gain access to shared content
Is enrolled in 2FA with Box	Can access shared content if enrolled with required authentication method	N/A
Uses SSO to log into Box	Can access shared content	N/A
Is not enrolled in 2FA with Box and does not use SSO Previously collaborated on shared folders	Cannot access your enterprise's shared content Can access all folders from outside of your enterprise	In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
Is not enrolled in 2FA with Box and does not use SSO Is invited to a new collaboration	Cannot access your enterprise's newly shared content Can access all folders from outside of your enterprise	In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.
Does not have a Box account Is invited to a new collaboration	Receives an invitation email to accept the collaboration invite by signing up for a new Box account	Register for a new Box account In the Box account window, set up 2FA from the pending invitations panel under ACTION REQUIRED in the All Files page, or from the Account Settings page.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded