Best Practice - Choosing Security Settings



Get Training

Businesses around the world trust Box with their most sensitive data, and for good reason: In addition to our robust back-end security, we offer admins a host of options for controlling how users sign up for and log in to Box.

This guide will walk you – step by step – through your account’s security settings panel, where you’ll configure your settings to match your organization’s security requirements . Check with your IT department if you’re unsure what they are.

Here’s how to open the security settings panel and get started:

  1. Click Admin Console in the header bar at the top of your page
  2. Click Enterprise Settings in the upper right-hand corner of the menu bar
  3. Click the Security tab

Signup and Login Settings

The Signup and Login section is where you’ll set rules for users either signing up for or logging in to Box:


Here's more about what the different options do:

Self Signup

As an admin, you can add users manually, but you also have the option to allow users to add themselves to your account. If you select this option, you can direct new users to your account’s custom URL to sign up. This is a good option if you’re not concerned about your seat count.

Account Creation Notification

Select this option if you would like admins to be notified via email whenever a new user is created.  You can choose to receive an immediate notification or a summary of new users once a day.

User email/login

Selecting this option prevents users from changing their Box login emails to personal addresses. Check this box if you want your users to stick with the corporate email they used to sign up. 

Failed Logins

Turn on this option to be kept apprised of login troubles – or unauthorized access attempts. You can customize the number of failed login attempts that will trigger your notification. 

Persistent Logins

If you need to require users to enter login credentials each time they return to Box, enable this option. They will no longer be able to use the Keep Me Signed in feature and will be logged out of Box each time they close their browser.

Login Verification

If you enable this setting, when a user logs into a new device or location, they will be prompted to enter a secondary code that they receive via text message.

Password Requirements

Next, you can set length or complexity requirements for your users' passwords in the Character Settings section.

Also consider creating a password reset calendar in the Password Resets section: This setting forces managed users to update their passwords at regular intervals. Plus, prevent users from reusing passwords if need be; just check the Prevent Reusing Passwords box, then set the number that works best for your organization.

Finally, if you need to track password changes for auditing purposes, check the two password change notification boxes. You will receive these notifications by email. 


The Uploads setting gives Enterprise and Elite admins the option to prevent users from accessing their Box accounts via regular (unencrypted) FTP. 

Session Duration

The Session Duration section is well worth a look if you work in an open office setting where people are moving around frequently, or if you have an external presence in your company. This option allows you to set how long an account can stay logged in without activity:

If a user exceeds this limit, they’ll be logged out of Box – right away. The default is 48 hours, but you can also shorten it to as little as ten minutes.

Once you’ve applied the security settings that you need, be sure to click Save at the bottom of the page.

And, to read more about how we keep your content safe in the cloud, just visit

Was this article helpful?
8 out of 8 found this helpful