Skip to main content

Two-Factor Authentication in cPanel

This article explains how to set up two-factor authentication for your cPanel account.

If enabled on your server, you have the ability to add an additional layer of protection to your cPanel account. Normally, your cPanel account is protected by a username and a password, but it is possible to enable another layer of authentication on top of that. This is known as two-factor authentication as there are two different types of authentication required in order to access your account.

This additional protection will require you to enter a constantly changing 6-digit security code in addition to your username and password.


Two-Factor Requirements for cPanel

In order for two-factor authentication to work with your cPanel account, you'll need to meet the following requirements:

  1. You are using a supported version of cPanel.

  2. Two factor authentication is enabled on your server.

  3. Your cPanel account is permitted to access this feature.

  4. You have a supported authentication application like Google Authenticator, Authy or 1Password.

    ✅ Direct links to popular two-factor authentication applications:

    ApplicationAndroidiOSWindowsMac
    AuthyAndroidiOSWindows 64-bit
    Windows 32-bit
    Mac
    Google AuthenticatorAndroidiOSn/an/a
    1PasswordAndroidiOSWindowsMac

    Make sure you always have the authentication application with you where ever you access cPanel, or you will be unable to log in.


Enabling Two-Factor Authentication in cPanel

Once you have at least one of the apps above, log into cPanel to enable two-factor authentication.

  1. Log into cPanel. Typically, you can do this via a URL like: https://DOMAIN.COM/cpanel (Replace *DOMAIN.COM *with your cPanel main domain name.)

  2. In cPanel's search box, type "factor" or "two" and select Two-Factor Authentication.
    Click the Two-Factor Authentication
Button

  3. Click **Set Up Two-Factor Authentication **to start the process.
    Click the Set Up Two-Factor Authentication
Button

  4. In your authenticator application, add a new a account/token/login item depending on the app you are using.

  5. If you are using a mobile application as your authenticator, you can use the application to scan the large QR code that is displayed on the screen. If you are using a desktop app, you can use the code displayed under the QR code.
    Scan the QR Code or Enter the Key Code into Your Authenticator
App

    1. If you need to set up more than one authenticator, now is the time to do that. Repeat **step 5 **with every authenticator you need to use.
  6. Once set up in your authenticator, it will start displaying a 6-digit code. Type the code displayed in your app into the Security Code box and click the Configure Two-Factor Authentication button to finish setup.
    Enter the Displayed Code from Your Auth App and Press the
Button

ℹ️ From now on, when you try to log into your cPanel account, you will be asked to enter your username and password as well as the 6-digit code from your authentication application.


Disabling Two-Factor Authentication in cPanel

If you have two-factor authentication enabled and you have a working authenticator, you can turn off this feature when logged into cPanel.

  1. Log into cPanel. Typically, you can do this via a URL like: https://DOMAIN.COM/cpanel (Replace *DOMAIN.COM *with your cPanel main domain name.)

  2. In cPanel's search box, type "factor" or "two" and select Two-Factor Authentication.
    Click on Two-Factor
Authentication

  3. Click **Remove Two-Factor Authentication **to disable it. 
    Click the Red Remove Two-Factor Authentication
Button

  4. Once the feature is disabled, remove the entry from any of your authentication applications, as those login tokens will no longer be good.


Troubleshooting Issues with Two-Factor Authentication in cPanel

If you are having problems accessing your account after you set up two-factor authentication, here are some things to try.

I deleted or lost the authentication application or token, what can I do?

If you are not currently logged into cPanel when you lose or delete your token, then your two factor authentication must be disabled by someone with root WHM or root SSH access to your server (see below). Contact that person or HostDime if we are your hosting provider.

If you are currently logged into your cPanel account, you can follow the directions above to disable two-factor authentication or you can click the Reconfigure Two-Factor Authentication button to create a new token and revoke the old one.

I have access to root WHM or SSH on my server, how can I disable two-factor authentication to regain access to the cPanel account?

Root SSH
  1. Log into your server via SSH as root.

  2. Execute the following command:

    whmapi1 twofactorauth_remove_user_config user=CPANELUSERNAME

    ⚠️ Replace CPANELUSERNAME in the example above with the actual lowercase cPanel username of the account where you want to disable two-factor authentication.

  3. Try logging into the cPanel account to make sure it works.

Root WHM

This will disable two-factor for the cPanel account and invalidate any tokens they have set up. They can set up two-factor again if they wish.

  1. Log into WHM as root.

  2. Select Two-Factor Authentication from the Security Center section of the sidebar on the left.
    Click Two-Factor Authentication in the WHM
Sidebar

  3. Find the user account you want to remove two-factor authentication from and click the Disable link and confirm removal.
    Disable Two-Factor Authentication for a User by Clicking
Disable

  4. Test logging into the cPanel account to make sure it is possible to get in without the token.

    This will disable two-factor for the cPanel account and invalidate any tokens they have set up. They can set up two-factor again if they wish.

I have my authentication app, but for some reason, when I enter the code, it doesn't work.

The codes generated are time-based, so if there is an issue with the time on the server or on your authenticator device you may have issues because the authenticator will be generating codes that don't match what the server is expecting. 

Try resetting the time on your device to the correct time and try again.

If that doesn't work, try restarting your authenticator application or the device itself and try logging in again.

If it still doesn't work, disable your two-factor authentication as directed above and set it up again using a new token.

I'm getting a new mobile device, how do I transfer my authentication application settings to the new device?

Most mobile operating systems have methods of restoring your data securely from one device to another. Refer to your OS's restoration directions for how to accomplish this.

In addition, some applications (like Authy) offer a separate secure method of backing up your authenticators and syncing them between devices.

If you don't think you can handle this or you are concerned something might go wrong, disable two-factor authentication in cPanel before migrating to your new device. 

Don't forget to disable your authenticator app on your old device.