> ## Documentation Index
> Fetch the complete documentation index at: https://boosterberg.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Protect your account with two-factor authentication and security best practices

Secure your Boosterberg account with two-factor authentication, session management, and security monitoring.

## Two-factor authentication (2FA)

Add an extra layer of security by requiring a verification code in addition to your password.

### Enabling 2FA

<Steps>
  <Step title="Go to security settings">
    Navigate to **Settings** > **Security**.
  </Step>

  <Step title="Click Enable 2FA">
    Under **Two-Factor Authentication**, click **Enable**.
  </Step>

  <Step title="Choose authentication method">
    Select your preferred method:

    * **Authenticator app** (recommended): Google Authenticator, Authy, 1Password, etc.
    * **SMS**: Receive codes via text message
  </Step>

  <Step title="Set up authenticator app">
    If using an authenticator app:

    1. Scan the QR code with your app
    2. Enter the 6-digit code shown in your app
    3. Click **Verify**

    <Tip>
      Save the backup codes shown after setup. You'll need them if you lose access to your authenticator.
    </Tip>
  </Step>

  <Step title="Save backup codes">
    Download and securely store your backup codes. Each code can be used once if you lose access to your authenticator.
  </Step>
</Steps>

<Check>
  Two-factor authentication is now enabled! You'll need to enter a code from your authenticator app each time you log in.
</Check>

### Using 2FA

When logging in with 2FA enabled:

1. Enter your email and password
2. Open your authenticator app
3. Enter the 6-digit code
4. Click **Verify**

<Note>
  You can check "Trust this device" to skip 2FA for 30 days on that device.
</Note>

### Backup codes

If you lose access to your authenticator:

1. Click **Use backup code** on the login screen
2. Enter one of your saved backup codes
3. Immediately set up a new authenticator

<Warning>
  Each backup code can only be used once. Generate new codes after using them.
</Warning>

### Disabling 2FA

To turn off two-factor authentication:

1. Go to **Settings** > **Security**
2. Click **Disable 2FA**
3. Enter your password and current 2FA code
4. Confirm disabling

<Warning>
  Disabling 2FA makes your account less secure. Only do this if absolutely necessary.
</Warning>

## Password security

### Password requirements

Boosterberg requires passwords to:

* Be at least 12 characters long
* Include uppercase and lowercase letters
* Include at least one number
* Include at least one special character

<Tip>
  Use a password manager to generate and store strong, unique passwords.
</Tip>

### Changing your password

<Steps>
  <Step title="Go to security settings">
    Navigate to **Settings** > **Security**.
  </Step>

  <Step title="Click Change Password">
    Under **Password**, click **Change Password**.
  </Step>

  <Step title="Enter passwords">
    * Current password
    * New password
    * Confirm new password
  </Step>

  <Step title="Save changes">
    Click **Update Password**. You'll be logged out and need to log in with the new password.
  </Step>
</Steps>

### Password reset

If you forgot your password:

1. Click **Forgot Password** on the login screen
2. Enter your email address
3. Check your email for a reset link
4. Click the link and create a new password

<Note>
  Password reset links expire after 1 hour for security.
</Note>

## Session management

### Active sessions

View all devices where you're currently logged in:

* Device type and browser
* IP address and location
* Last active time
* Current session indicator

### Managing sessions

End sessions on other devices:

1. Go to **Settings** > **Security** > **Active Sessions**
2. Review the list of active sessions
3. Click **Log Out** next to sessions you want to end
4. Or click **Log Out All Other Sessions** to end all except current

<Tip>
  Regularly review active sessions and log out unused devices.
</Tip>

### Session timeout

For security, Boosterberg automatically logs you out after:

* **30 days** of inactivity
* **7 days** on public/shared computers (if selected during login)

## Login security

### Login notifications

Receive alerts when someone logs into your account:

1. Go to **Settings** > **Security** > **Login Alerts**
2. Enable **Email notifications for new logins**
3. Choose notification preferences:
   * All logins
   * Unrecognized devices only
   * Failed login attempts

### Failed login attempts

After 5 failed login attempts:

* Account is temporarily locked for 15 minutes
* You receive an email notification
* IP address is flagged for monitoring

<Warning>
  If you see failed login attempts you didn't make, change your password immediately and enable 2FA.
</Warning>

### Trusted devices

Mark devices as trusted to skip 2FA:

* Checkbox during login: "Trust this device for 30 days"
* Manage trusted devices in **Settings** > **Security**
* Remove trust from any device anytime

## Security monitoring

### Activity log

View all account activity:

* Login attempts (successful and failed)
* Password changes
* 2FA changes
* Campaign creations and modifications
* Team member changes
* API key usage

Access at **Settings** > **Security** > **Activity Log**.

### Security alerts

Boosterberg monitors for suspicious activity:

* Logins from new locations
* Multiple failed login attempts
* Unusual API usage
* Large budget changes
* Bulk campaign deletions

You'll receive email alerts for suspicious activity.

## API security

### API key management

Secure your API keys:

* Generate separate keys for different integrations
* Set appropriate permissions for each key
* Rotate keys regularly (every 90 days recommended)
* Revoke unused keys immediately

### API key permissions

Limit what each API key can do:

* **Read-only**: View data only
* **Campaign management**: Create and edit campaigns
* **Full access**: All operations

<Tip>
  Use read-only keys whenever possible to minimize risk.
</Tip>

### Revoking API keys

If a key is compromised:

1. Go to **Settings** > **API**
2. Find the compromised key
3. Click **Revoke** immediately
4. Generate a new key if needed

## Best practices

<AccordionGroup>
  <Accordion title="Enable 2FA immediately">
    Two-factor authentication is the single most effective security measure. Enable it as soon as you create your account.
  </Accordion>

  <Accordion title="Use a password manager">
    Password managers generate strong, unique passwords and store them securely. Popular options: 1Password, Bitwarden, LastPass.
  </Accordion>

  <Accordion title="Review security settings monthly">
    * Check active sessions
    * Review activity log
    * Verify team member access
    * Rotate API keys
  </Accordion>

  <Accordion title="Never share credentials">
    * Don't share your password with anyone
    * Don't share 2FA codes
    * Don't share API keys publicly
    * Use team member invitations instead
  </Accordion>

  <Accordion title="Keep software updated">
    * Update your browser regularly
    * Keep your operating system current
    * Update your authenticator app
  </Accordion>
</AccordionGroup>

## Security checklist

Use this checklist to ensure your account is secure:

* [ ] Two-factor authentication enabled
* [ ] Strong, unique password set
* [ ] Password manager in use
* [ ] Login notifications enabled
* [ ] Active sessions reviewed
* [ ] Trusted devices list current
* [ ] API keys have minimal permissions
* [ ] Team member access is appropriate
* [ ] Activity log reviewed monthly
* [ ] Backup codes saved securely

## Reporting security issues

If you discover a security vulnerability:

1. **Do not** disclose it publicly
2. Email [security@boosterberg.com](mailto:security@boosterberg.com) with details
3. Include steps to reproduce if possible
4. We'll respond within 24 hours

<Note>
  Boosterberg has a responsible disclosure policy. We appreciate security researchers who report vulnerabilities responsibly.
</Note>

## Next steps

<CardGroup cols={2}>
  <Card title="Manage your team" icon="users" href="/account/team-members">
    Add members and control access
  </Card>

  <Card title="Control permissions" icon="key" href="/facebook-instagram/permissions-access">
    Manage Facebook permissions
  </Card>
</CardGroup>