Two Factor Authentication

jschwartz@burstingsilver.com

I am testing out BoxCryptor right now, and it is very close to what I need, but there is one key piece missing for me: I need to have two-factor authentication when opening encrypted documents.

Here is my scenario:

My company has documents stored on Google Drive containing user ids and passwords and server information for our clients. These documents are shared with several employees.The information in these documents is sensitive, so BoxCryptor can encrypt the files to add additional protection from being compromised. However, if one of our employees had their laptop compromised, a thief could easily get into these encrypted documents if the employee selected "Remember Me" after logging into BoxCryptor.

In order to make it more secure, I would like to have two-factor authentication on these documents so that the user would be prompted to type in a secondary password when the confidential document opens. This ensures that if their device was compromised, this information couldn't be compromised unless the thief knew the secondary password on the document.

Is this something that might be coming down the pipe for BoxCryptor? It seems like it shouldn't be too hard to implement.

Thanks!
James

bubble70

Hi James,

I second that. I really hope that 2FA can be implemented soon.

It seems an oversight that this feature is still missing from boxcryptor, as it would greatly enhance security.

Let us hope that Two Factor Authentication is on the roadmap!

Cheers
Bubble70

Richard Hess

Greetings,

this feature is already on our roadmap.
Unfortunately I can't name any date on this.

Thanks for your patience.

Best regards,
Richard

greenlimepro

I too would like to see 2FA! Please! :)

Wee

Looking for 2FA too :)

krischik

Still no two factor authentication? :-( — Are you still working on the product or are you just milking a cash cow? I guess the later.

Hypnotoad

any news about two factor authentification for Boxcryptor?

markusw56

Is there any progress on the 2FA functionality? Promised since 2 years and still seems not to be active

Robert

Hi,

I'm sorry that we have not yet been able to add 2FA for single users (it is already available for our company customers). We have been busy adding other features, supporting new providers and making sure that Boxcryptor plays well with the latest operating system - you can read about it e.g. in our blog: https://www.boxcryptor.com/en/blog/.

Nevertheless, we also laid the groundwork under the hood for implementing 2FA for single users and we will deliver on that within this year.

Best regards,
Robert

PS: Please keep in mind that even with 2FA a strong password is still recommended to protect against any offline attack (e.g. if an attacker would get access to our database).

RAlfieri

That's great news that it is coming this year. It would be good if it worked like Evernote, LastPass and others and once authenticated on mobile using 2FA or desktop, 2FA is not performed again until "n" days have passed. Thanks!

-JSS-

"My company has documents stored on Google Drive containing user ids and passwords and server information for our clients." /James

Wrong scenario and a very dangerous practice.

"PS: Please keep in mind that even with 2FA a strong password is still recommended to protect against any offline attack (e.g. if an attacker would get access to our database)." /Robert, Keymaster

How come? If 2FA is implemented eg. using U2F your database should not contain any information about public-key cryptography to provide strong authentication with U2F keys?

SteBae

Is 2FA for single users still on track for this year (2017)?

Robert

Hi SteBae,

Yes, we're indeed still on track to release 2FA using TOTP until the end of this year. We finally managed to start working on it this month and we've been able to complete most of it already. Maybe we will even ship it also with U2F support (but there is still some work to do which could also be completed this year - otherwise U2F will be available at the beginning of next year).

Here's small peak preview:
https://www.dropbox.com/s/zsp5qea9esjs4xw/2FA-Preview.png?dl=0

Regarding the other question:
Even with 2FA enabled, a strong password is still recommended, because 2FA only protects the authentication process. In Boxcryptor, the password is also used for encrypting your private key. In case of a weak password, 2FA will give you additional protection against unauthorized access to your account. However, somebody with access to your account (e.g. we or if an attacker would be able to get access to our systems) could brute-force your password and decrypt your encrypted private key.

Best regards,
Robert

Robert

Hi everybody,

Since today, 2FA is finally available for all users. You can read more about it in our blog:
https://www.boxcryptor.com/en/blog/post/new-feature-2-factor-authentication-for-all-boxcryptor-users/

Best regards,
Robert

SteBae

Thanks for the heads-up! It is working well.

Take care,
Stefan

uvyas727

I recommend you the best security product that is LTS Secure. It accomplishes all the security requirement of the organization by providing various and appropriate security solutions. For more details or benefits https://goo.gl/7J79so

smithlopan

Very well written post. It will be valuable to anybody who utilizes it, as well as me. Keep up the good work – i will definitely read more posts.
Game Lover - https://games.lol/card/