Security Best Practices

Lock down your vault and keep your data under your control.

Use Multi-Factor Authentication (MFA)

BoxOwl requires MFA for all accounts. During registration, a QR code is displayed. Scan it with any TOTP-compatible authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.).

After setup, you will need a 6-digit code from your authenticator app every time you log in on a new device. The code refreshes every 30 seconds.

Save your recovery codes. If you lose your phone or uninstall your authenticator app, recovery codes are the only way to regain access. Store them in a password manager or write them down and keep them in a safe place.

Enable Biometric Unlock

For faster daily access, enable biometric unlock after your first login:

  1. Go to Settings > Security > Biometric Unlock
  2. Toggle the switch and confirm with your device biometric prompt
  3. On the next launch, unlock with fingerprint or face recognition instead of typing your password

Biometric unlock is local-only. Your fingerprint or face data never leaves your device and is never sent to BoxOwl's servers. If you uninstall the app, biometric access is revoked automatically.

Biometric unlock does not replace MFA. It only speeds up local app access. You will still need your password and MFA code when logging in on a new device or after a full logout.

Choose a Strong Password

🔒 End-to-end encrypted
Logins, payment methods, and secure notes are encrypted on your device. BoxOwl never has access to the plaintext.

Your BoxOwl password protects your account and helps derive the local encryption key. A strong password:

We recommend using a password manager to generate and store your BoxOwl password.

Account Recovery

If you forget your password, you can reset it via email:

  1. On the login screen, tap Forgot Password?
  2. Enter your registered email address
  3. Check your inbox for a reset link (expires in 1 hour)
  4. Choose a new password and log in again

You must still provide your MFA code after resetting your password. MFA is never disabled by a password reset. This is intentional — if your email is compromised, the attacker still cannot access your vault without your authenticator.

Review Your Public Profile

Fields marked Public appear on your profile page at boxowl.me/u/{handle}. Regularly audit what you share:

Remember: public profile fields are indexable by search engines. Treat them like a business card.

Export Your Data

BoxOwl supports full JSON export so you always have a portable copy of your vault:

  1. Go to Settings > Account > Export Data
  2. Confirm your password
  3. The export is generated and saved to your device downloads

We recommend exporting your data after significant updates or before switching devices. The export includes all categories, visibility settings, and metadata.

Account Erasure

You can permanently delete your account and all associated data at any time:

  1. Go to Settings > Account > Delete Account
  2. Read the deletion warning carefully
  3. Enter your password to verify identity
  4. Confirm the final prompt

Deletion triggers a cascade removal of all vault data, activity history, connections, agent tokens, and public profile data. Your handle is released and may be claimed by another user. This action is irreversible.

Export your vault before deleting if you need a personal backup.

Agent Token Hygiene

If you create agent tokens for third-party integrations or automation:

Report Security Issues

If you discover a vulnerability or suspicious activity, email support@boxowl.me. We follow coordinated disclosure and aim to respond within 48 hours.

← Back to Docs