How to Enable Two-Factor Authentication (2FA) in cPanel

Two-Factor Authentication (2FA) adds an extra layer of security to your cPanel account. After entering your password, you will also need to enter a code from an authenticator app on your phone. This prevents unauthorised access even if someone knows your password.

Prerequisites

• An authenticator app installed on your phone:
  • Google Authenticator (Android / iOS)
  • Microsoft Authenticator (Android / iOS)
  • Authy (Android / iOS / Desktop)
• Your cPanel account must have 2FA enabled by your hosting provider. If the cPanel Two-Factor Authentication icon is missing, contact support to have it enabled.

Step 1: Enable 2FA in cPanel

1. Log in to your cPanel account.
2. In the Security section, click Two-Factor Authentication.
3. Click Set Up Two-Factor Authentication.
4. cPanel will display a QR code.

Step 2: Scan the QR Code

1. Open your authenticator app on your phone.
2. Tap Add Account → Scan QR Code (or the + button).
3. Point your phone camera at the QR code on your screen.
4. The app will add a new entry for your cPanel account and start generating 6-digit codes.

Step 3: Enter the Verification Code

1. Back in cPanel, enter the 6-digit code shown in your authenticator app.
2. Click Configure Two-Factor Authentication.
3. 2FA is now enabled. You will be asked for a code each time you log in to cPanel.

Step 4: Save Your Backup Codes

1. cPanel will display a list of backup/recovery codes.
2. Save these codes in a secure location (password manager, printed and stored safely).
3. If you lose your phone, these codes are the only way to access your cPanel account.

Important Notes

• Never share your 2FA codes or backup codes with anyone.
• The codes change every 30 seconds — you must use the current code, not an expired one.
• If you lose access to your authenticator app and have no backup codes, contact support — we can disable 2FA for your account after verifying your identity.
• 2FA only protects cPanel login. Consider enabling 2FA for your email accounts and other services as well.

Troubleshooting

• "Invalid security token" error: The code may have expired (codes change every 30 seconds). Generate a new code in your authenticator app and try again. Also ensure your phone's time is set to automatic/network time — incorrect time will generate invalid codes.
• Cannot find Two-Factor Authentication icon in cPanel: Your hosting provider may have disabled this feature for your account. Contact support to request 2FA be enabled.
• Lost your phone or authenticator app: Use one of your backup codes to log in. Once logged in, you can disable 2FA and set it up again on a new device. If you have no backup codes, contact support for identity verification and 2FA reset.
• Codes generated by the app are always rejected: Your phone clock may be out of sync. Go to your phone settings → Date & Time → enable "Automatic" or "Network-provided time". The authenticator app requires accurate time to generate valid codes.
• Want to disable 2FA temporarily: Go to cPanel → Two-Factor Authentication → click Remove Two-Factor Authentication. You can re-enable it at any time.

Need help? Contact our support team.