Multi-Factor Authentication
Every BoxOwl account is protected by TOTP MFA. This page walks through enrolment, day-to-day use, and recovery.
Why MFA Is Required
BoxOwl holds your personal data and end-to-end-encrypted payment + secure-note vaults. A leaked password alone should never be enough to take over the account. Every BoxOwl login requires both your password and a fresh 6-digit code from a TOTP authenticator app.
MFA cannot be disabled. Every account stays protected by a TOTP second factor.
Enrolling at Registration
- Finish creating your account.
- BoxOwl displays a QR code containing your TOTP secret. Scan it with any TOTP-compatible app — Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator, Aegis, Raivo, etc.
- Enter the 6-digit code your app generates to confirm the link. The code rotates every 30 seconds.
- BoxOwl then shows your recovery codes. Save them somewhere safe (more on this below).
Anything that implements RFC 6238 TOTP will work. If you already have an authenticator app you trust, keep using it.
Recovery Codes
Recovery codes are single-use, alphanumeric strings that work in place of a TOTP code. They are the only built-in way to regain access if you lose your authenticator app. BoxOwl shows them once at enrolment — we do not store them in a form we can hand back to you.
Save them in at least two places:
- Your password manager, in the same entry as your BoxOwl password.
- An offline copy — printed and kept with other important documents.
Each code works once. Once you have used a code, it is permanently spent. If you run low, regenerate from Settings > Security > Two-Factor Authentication > Regenerate recovery codes. Regenerating invalidates all previous codes immediately.
Logging In With MFA
After entering your email and password, BoxOwl prompts for a 6-digit code. Open your authenticator app, find the BoxOwl entry, and type the current code.
If your authenticator app is unavailable, tap Lost your authenticator? Use a recovery code. The input switches to alphanumeric and accepts one of your saved recovery codes instead.
If you mis-type a code, BoxOwl returns a generic error rather than telling you which side was wrong — this is intentional to prevent online enumeration of valid codes.
Browser Extension MFA
The BoxOwl browser extension supports the same MFA challenge as the mobile app. When you sign in to the extension, after the email + password step the popup switches to a TOTP / recovery-code prompt. Recovery codes work in the extension exactly the same as in the app.
Moving To a New Phone
If your authenticator app supports cloud sync (Authy, 1Password, Bitwarden, Microsoft Authenticator with backups), the BoxOwl entry travels with it. Sign in on the new device, the TOTP code matches, you are in.
If your authenticator app does not sync (default Google Authenticator setup, Aegis without export), you need to either:
- Use the export/import feature in your authenticator app to move entries to the new phone before you wipe the old one, or
- Sign in once on the new phone using a recovery code, then re-enrol MFA from Settings > Security > Two-Factor Authentication > Reset MFA. Re-enrolment generates a new secret + new recovery codes; the old codes stop working.
If You Lose Everything
If your authenticator is gone and all your recovery codes are lost, support cannot reset MFA for you. We have no back-door that lets us bypass your second factor — by design.
The fall-back is the same as if you forgot your password: account recovery via your registered email. Email-based recovery resets both the password and MFA together. It is rate-limited and requires inbox access. We treat this as a last-resort escape hatch because anyone with persistent access to your email could trigger it.
Lock down your email account first. Use a strong password and MFA on the email provider too. BoxOwl's MFA is only as strong as the recovery channel.
Related Reading
- Security Best Practices — password policy, biometric unlock, vault export, account deletion.
- Account Setup — first-time account creation walkthrough.