Box extends enterprise security with two-factor authentication for external users

Box extends enterprise security with two-factor authentication for external users

Today, we are excited to announce that Box is extending two-factor authentication (2FA) to external users, significantly improving the ability of organizations to protect their sensitive content from external threats, while continuing to engage and collaborate with an external workforce. On the one hand, enterprises need to control external access to counter the rising threat of people-centered cyberattacks. In 2018, credential compromise through phishing increased by 70% YoY [1]. On the other hand, enterprises need to be able to leverage the external workforce. In a recent survey, nearly 2/3rd of executives stated that the external workforce is critical to company performance [2]. Our customers increasingly consider the external workforce to be an extension of their enterprise and are looking to enforce the same strong authentication controls to ensure external user accounts are not compromised. 

With operations in 198 countries, data security is of the highest importance to Cummins. Using Box’s two-factor authentication for internal and external collaboration has allowed us to deliver reliable and secured content to meet our global customer needs.” - Chris Huffmeyer, Asst. Chief Engineer, Cummins Emission Solutions

2FA for external users is the latest addition to Box's built-in core security features that deliver a frictionless end-user experience for both admins and collaborators. Admin setup is simple, yet powerful with flexible enrollment and enforcement options. Admins can choose to require 2FA across the entire extended enterprise or can include/exclude specific users and domains. Further, they can choose immediate enforcement of the 2FA requirement or allow for a gradual transition. 

Box extends enterprise security with two-factor authentication for external users

The external collaborator experience is seamless - with guided setup embedded into the collaboration flow for existing users and into the signup flow for new users. For instance, an enterprise may choose to enforce 2FA for all their independent contractors with personal email domains (gmail, hotmail etc.) and set a 30-day transition period to avoid work disruption. Automated reminders from Box leading up to the deadline gives contractors sufficient notice to sign up for access.


Two-factor authentication is among the top 3 best practices recommended by security professionals [3]. It's also a key component of a new 'zero trust' information security model that is emerging as the line between employees and the external workforce blurs.

"In this new zero trust model, nothing is assumed to be trusted and access to resources is based more on who the user is than where the user is. A user (employee, contractor, partner etc.) could be accessing a corporate application hosted in the cloud with an unmanaged device from a Starbucks – at no point will either the user or the device traverse the corporate internal network or network security controls."  -Garrett Bekker, Principal Security Analyst, 451 Research [4]

Enterprises can address such scenarios by enforcing strong two-factor authentication consistently across their internal and external users. Learn how to enable Box's 2FA for external collaborators for your organization by referring to the admin guide here.