Two-factor authentication enhances server security by asking users to provide a unique code, supplied by an app on their phone, when they log in.<\/p>\n\n\n\n
When two-factor authentication is turned off, cPanel & WHM asks users to enter two pieces of information: a public username and a private password. If no one except the user knows the password, it proves they are who they claim to be. Password-based \u201cone-factor\u201d authentication is secure if the password is tough to guess and users really do keep it secret.<\/p>\n\n\n\n
However, users sometimes create security vulnerabilities because they choose passwords that are easy to guess, store them insecurely, or share them with other people. TFA adds another authentication factor, a one-time code generated by an app that can\u2019t be guessed or shared because it changes thousands of times a day. <\/p>\n\n\n\n
Entering the code proves the user has the mobile device with the app installed while logging in. They verify their identity with both \u201csomething they know,\u201d the password, and \u201csomething they have,\u201d the phone the app is installed on.<\/p>\n\n\n\n
Two-factor authentication works because the authenticator app and cPanel & WHM share a secret key. cPanel creates the key, which is added to the app via a QR code or entered as a string of digits. With some complicated math, cPanel and the app can then simultaneously generate the same one-time code. When you log in, the codes are compared, and if they match, you\u2019re authenticated.<\/p>\n\n\n\n
Two-factor authentication is much more secure than password-based logins, but it is also less convenient. Your users will have to install an app and use it every time they log in. It\u2019s up to the server administrator or hosting provider to decide whether the inconvenience is worth the increase in security.<\/p>\n\n\n\n
What You\u2019ll Need to Use Two-Factor Authentication with cPanel<\/strong><\/h2>\n\n\n\nTo use two-factor authentication in cPanel, your hosting provider or server administrator must first activate and configure it in WHM. We\u2019ll show you how to do that in the next section.<\/p>\n\n\n\n
You will also need a two-factor authentication app to provide the one-time code. There are several available for mobile devices, including:<\/p>\n\n\n\n
- Google\u00ae Authenticator for iOS<\/a>\u00ae and Android<\/a>™.<\/li>
- Duo Mobile for iOS<\/a> and Android<\/a>.<\/li><\/ul>\n\n\n\n
How to Activate Two-Factor Authentication in WHM<\/strong><\/h2>\n\n\n\nYou will find the Two-Factor Authentication<\/em> configuration page under Security<\/em> in the WHM sidebar menu. It\u2019s turned off by default, so first, we need to flip the switch to activate it.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/00-cpanel-activate-tfa.png\")
<\/figure>\n\n\n\nThe TFA page also includes management and configuration options:<\/p>\n\n\n\n
- The Manage User<\/em> tab is used to turn TFA on and off for cPanel users who have activated it.<\/li>
- The Manage My Account<\/em> tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we\u2019ll go into more detail in the next section.<\/li><\/ul>\n\n\n\n
![\"Manage](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/01-cpanel-manage-tfa-users.png\")
<\/figure>\n\n\n\nIn most cases, that\u2019s all you have to do to make two-factor authentication available to cPanel & WHM users. However, if you previously disabled it in Feature Manager<\/em>, you may need to re-enable it.<\/p>\n\n\n\nNavigate to the Feature Manager<\/em> under Packages<\/em> in the sidebar menu. Click edit with the Default<\/em> list selected in the dropdown menu.<\/p>\n\n\n\n![\"Feature](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/02-cpanel-feature-manager.png\")
<\/figure>\n\n\n\nSearch for Two-Factor Authentication<\/em>, make sure the adjacent box is checked, and click the Save<\/em> button.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/03-cpanel-add-tfa-to-default.png\")
<\/figure>\n\n\n\n<\/strong>How to Configure and Use and TFA in cPanel<\/strong><\/h2>\n\n\n\nWhen the TFA feature is activated in WHM, a new menu item is added to the Security<\/em> section of cPanel\u2019s main menu. This is where you will set up TFA for your user or turn it off if you decide you no longer need it.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/04-cpanel-two-factor-authentication-menu.png\")
<\/figure>\n\n\n\nClick the Set Up Two-Factor Authentication<\/em> button, and you\u2019ll be taken to a page with the information your mobile authenticator app needs, encoded as a QR code.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/05-cpanel-set-up-two-factor.png\")
<\/figure>\n\n\n\nHow you enter this information is different in each app, but you should look for a plus (+) button in the app\u2019s interface and then select \u201cscan barcode\u201d or \u201cscan QR code.\u201c Point your phone\u2019s camera at the QR code, and the app will read it.<\/p>\n\n\n\n
If your app can\u2019t read the QR code, manually enter the Account<\/em> and Key<\/em> information displayed below the QR code.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/06-cpanel-add-user-to-tfa-app.png\")
<\/figure>\n\n\n\nYour app should display a six-digit code that changes every 30 seconds. To finalize the configuration, enter the code into the Security Code<\/em> field at the bottom of the page and click Configure Two-Factor Authentication<\/em>.<\/p>\n\n\n\n![\"Enter](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/07-cpanel-enter-tfa-security-code.png\")
<\/figure>\n\n\n\nThat\u2019s it! Next time you log in to cPanel, you\u2019ll be asked to supply a code from your app in addition to your username and password.<\/p>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/08-cpanel-log-in-with-two-factor.png\")
<\/figure>\n\n\n\nTwo-factor authentication significantly reduces the likelihood of a server being compromised with shared or lost passwords. It also offers complete protection from password-guessing attacks, including automated brute-force and dictionary attacks. With cPanel & WHM, you can activate TFA in minutes, protecting your server\u2019s resources and reducing the amount of time you spend supporting users with compromised hosting accounts.<\/p>\n\n\n\n
How to Activate Two-Factor Authentication in WHM<\/strong><\/h2>\n\n\n\nYou will find the Two-Factor Authentication<\/em> configuration page under Security<\/em> in the WHM sidebar menu. It\u2019s turned off by default, so first, we need to flip the switch to activate it.<\/p>\n\n\n\n<\/figure>\n\n\n\nThe TFA page also includes management and configuration options:<\/p>\n\n\n\n
- The Manage User<\/em> tab is used to turn TFA on and off for cPanel users who have activated it.<\/li>
- The Manage My Account<\/em> tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we\u2019ll go into more detail in the next section.<\/li><\/ul>\n\n\n\n
<\/figure>\n\n\n\nIn most cases, that\u2019s all you have to do to make two-factor authentication available to cPanel & WHM users. However, if you previously disabled it in Feature Manager<\/em>, you may need to re-enable it.<\/p>\n\n\n\nNavigate to the Feature Manager<\/em> under Packages<\/em> in the sidebar menu. Click edit with the Default<\/em> list selected in the dropdown menu.<\/p>\n\n\n\n<\/figure>\n\n\n\nSearch for Two-Factor Authentication<\/em>, make sure the adjacent box is checked, and click the Save<\/em> button.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/strong>How to Configure and Use and TFA in cPanel<\/strong><\/h2>\n\n\n\nWhen the TFA feature is activated in WHM, a new menu item is added to the Security<\/em> section of cPanel\u2019s main menu. This is where you will set up TFA for your user or turn it off if you decide you no longer need it.<\/p>\n\n\n\n<\/figure>\n\n\n\nClick the Set Up Two-Factor Authentication<\/em> button, and you\u2019ll be taken to a page with the information your mobile authenticator app needs, encoded as a QR code.<\/p>\n\n\n\n<\/figure>\n\n\n\nHow you enter this information is different in each app, but you should look for a plus (+) button in the app\u2019s interface and then select \u201cscan barcode\u201d or \u201cscan QR code.\u201c Point your phone\u2019s camera at the QR code, and the app will read it.<\/p>\n\n\n\n
If your app can\u2019t read the QR code, manually enter the Account<\/em> and Key<\/em> information displayed below the QR code.<\/p>\n\n\n\n<\/figure>\n\n\n\nYour app should display a six-digit code that changes every 30 seconds. To finalize the configuration, enter the code into the Security Code<\/em> field at the bottom of the page and click Configure Two-Factor Authentication<\/em>.<\/p>\n\n\n\n<\/figure>\n\n\n\nThat\u2019s it! Next time you log in to cPanel, you\u2019ll be asked to supply a code from your app in addition to your username and password.<\/p>\n\n\n\n<\/figure>\n\n\n\nTwo-factor authentication significantly reduces the likelihood of a server being compromised with shared or lost passwords. It also offers complete protection from password-guessing attacks, including automated brute-force and dictionary attacks. With cPanel & WHM, you can activate TFA in minutes, protecting your server\u2019s resources and reducing the amount of time you spend supporting users with compromised hosting accounts.<\/p>\n\n\n\n
<\/figure>\n\n\n\nThe TFA page also includes management and configuration options:<\/p>\n\n\n\n
- The Manage User<\/em> tab is used to turn TFA on and off for cPanel users who have activated it.<\/li>
- The Manage My Account<\/em> tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we\u2019ll go into more detail in the next section.<\/li><\/ul>\n\n\n\n
<\/figure>\n\n\n\nIn most cases, that\u2019s all you have to do to make two-factor authentication available to cPanel & WHM users. However, if you previously disabled it in Feature Manager<\/em>, you may need to re-enable it.<\/p>\n\n\n\n
Navigate to the Feature Manager<\/em> under Packages<\/em> in the sidebar menu. Click edit with the Default<\/em> list selected in the dropdown menu.<\/p>\n\n\n\n
<\/figure>\n\n\n\nSearch for Two-Factor Authentication<\/em>, make sure the adjacent box is checked, and click the Save<\/em> button.<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/strong>How to Configure and Use and TFA in cPanel<\/strong><\/h2>\n\n\n\n
When the TFA feature is activated in WHM, a new menu item is added to the Security<\/em> section of cPanel\u2019s main menu. This is where you will set up TFA for your user or turn it off if you decide you no longer need it.<\/p>\n\n\n\n
<\/figure>\n\n\n\nClick the Set Up Two-Factor Authentication<\/em> button, and you\u2019ll be taken to a page with the information your mobile authenticator app needs, encoded as a QR code.<\/p>\n\n\n\n
<\/figure>\n\n\n\nHow you enter this information is different in each app, but you should look for a plus (+) button in the app\u2019s interface and then select \u201cscan barcode\u201d or \u201cscan QR code.\u201c Point your phone\u2019s camera at the QR code, and the app will read it.<\/p>\n\n\n\n
If your app can\u2019t read the QR code, manually enter the Account<\/em> and Key<\/em> information displayed below the QR code.<\/p>\n\n\n\n
<\/figure>\n\n\n\nYour app should display a six-digit code that changes every 30 seconds. To finalize the configuration, enter the code into the Security Code<\/em> field at the bottom of the page and click Configure Two-Factor Authentication<\/em>.<\/p>\n\n\n\n
<\/figure>\n\n\n\nThat\u2019s it! Next time you log in to cPanel, you\u2019ll be asked to supply a code from your app in addition to your username and password.<\/p>\n\n\n\n
<\/figure>\n\n\n\nTwo-factor authentication significantly reduces the likelihood of a server being compromised with shared or lost passwords. It also offers complete protection from password-guessing attacks, including automated brute-force and dictionary attacks. With cPanel & WHM, you can activate TFA in minutes, protecting your server\u2019s resources and reducing the amount of time you spend supporting users with compromised hosting accounts.<\/p>\n\n\n\n
- The Manage My Account<\/em> tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we\u2019ll go into more detail in the next section.<\/li><\/ul>\n\n\n\n