Two-Factor Authentication in cPanel

This article explains how to set up two-factor authentication for your cPanel account.

If enabled on your server, you have the ability to add an additional layer of protection to your cPanel account. Normally, your cPanel account is protected by a username and a password, but it is possible to enable another layer of authentication on top of that. This is known as two-factor authentication as there are two different types of authentication required in order to access your account.

This additional protection will require you to enter a constantly changing 6-digit security code in addition to your username and password.

Two-Factor Requirements for cPanel

In order for two-factor authentication to work with your cPanel account, you'll need to meet the following requirements:

  1. You are using a supported version of cPanel.
  2. Two factor authentication is enabled on your server.
  3. Your cPanel account is permitted to access this feature.
  4. You have a supported authentication application like Google Authenticator, Authy or 1Password.

Direct links to popular two-factor authentication applications:

ApplicationAndroidiOSWindowsMac
AuthyAndroidiOSWindows 64-bit
Windows 32-bit		Mac
Google AuthenticatorAndroidiOSn/an/a
1PasswordAndroidiOSWindowsMac

Make sure you always have the authentication application with you where ever you access cPanel, or you will be unable to log in.

Enabling Two-Factor Authentication in cPanel

Once you have at least one of the apps above, log into cPanel to enable two-factor authentication.

  1. Log into cPanel. Typically, you can do this via a URL like: https://DOMAIN.COM/cpanel (Replace DOMAIN.COM with your cPanel main domain name.)
  2. In cPanel's search box, type "factor" or "two" and select Two-Factor Authentication.
    Click the Two-Factor Authentication Button
  3. Click Set Up Two-Factor Authentication to start the process.
    Click the Set Up Two-Factor Authentication Button
  4. In your authenticator application, add a new a account/token/login item depending on the app you are using.
  5. If you are using a mobile application as your authenticator, you can use the application to scan the large QR code that is displayed on the screen. If you are using a desktop app, you can use the code displayed under the QR code.
    Scan the QR Code or Enter the Key Code into Your Authenticator App
    1. If you need to set up more than one authenticator, now is the time to do that. Repeat step 5 with every authenticator you need to use.
  6. Once set up in your authenticator, it will start displaying a 6-digit code. Type the code displayed in your app into the Security Code box and click the Configure Two-Factor Authentication button to finish setup.
    Enter the Displayed Code from Your Auth App and Press the Button

From now on, when you try to log into your cPanel account, you will be asked to enter your username and password as well as the 6-digit code from your authentication application.

Disabling Two-Factor Authentication in cPanel

If you have two-factor authentication enabled and you have a working authenticator, you can turn off this feature when logged into cPanel.

  1. Log into cPanel. Typically, you can do this via a URL like: https://DOMAIN.COM/cpanel (Replace DOMAIN.COM with your cPanel main domain name.)
  2. In cPanel's search box, type "factor" or "two" and select Two-Factor Authentication.
    Click on Two-Factor Authentication
  3. Click Remove Two-Factor Authentication to disable it. 
    Click the Red Remove Two-Factor Authentication Button
  4. Once the feature is disabled, remove the entry from any of your authentication applications, as those login tokens will no longer be good.

Troubleshooting Issues with Two-Factor Authentication in cPanel

If you are having problems accessing your account after you set up two-factor authentication, here are some things to try.

I deleted or lost the authentication application or token, what can I do?

If you are not currently logged into cPanel when you lose or delete your token, then your two factor authentication must be disabled by someone with root WHM or root SSH access to your server (see below). Contact that person or HostDime if we are your hosting provider.

If you are currently logged into your cPanel account, you can follow the directions above to disable two-factor authentication or you can click the Reconfigure Two-Factor Authentication button to create a new token and revoke the old one.

I have access to root WHM or SSH on my server, how can I disable two-factor authentication to regain access to the cPanel account?

Root SSH Root WHM
  1. Log into your server via SSH as root.

  2. Execute the following command:

    whmapi1 twofactorauth_remove_user_config user=CPANELUSERNAME

    Replace CPANELUSERNAME in the example above with the actual lowercase cPanel username of the account where you want to disable two-factor authentication.

  3. Try logging into the cPanel account to make sure it works.

This will disable two-factor for the cPanel account and invalidate any tokens they have set up. They can set up two-factor again if they wish.

  1. Log into WHM as root.
  2. Select Two-Factor Authentication from the Security Center section of the sidebar on the left.
    Click Two-Factor Authentication in the WHM Sidebar
  3. Find the user account you want to remove two-factor authentication from and click the Disable link and confirm removal.
    Disable Two-Factor Authentication for a User by Clicking Disable
  4. Test logging into the cPanel account to make sure it is possible to get in without the token.

This will disable two-factor for the cPanel account and invalidate any tokens they have set up. They can set up two-factor again if they wish.

I have my authentication app, but for some reason, when I enter the code, it doesn't work.

The codes generated are time-based, so if there is an issue with the time on the server or on your authenticator device you may have issues because the authenticator will be generating codes that don't match what the server is expecting. 

Try resetting the time on your device to the correct time and try again.

If that doesn't work, try restarting your authenticator application or the device itself and try logging in again.

If it still doesn't work, disable your two-factor authentication as directed above and set it up again using a new token.

I'm getting a new mobile device, how do I transfer my authentication application settings to the new device?

Most mobile operating systems have methods of restoring your data securely from one device to another. Refer to your OS's restoration directions for how to accomplish this.

In addition, some applications (like Authy) offer a separate secure method of backing up your authenticators and syncing them between devices.

If you don't think you can handle this or you are concerned something might go wrong, disable two-factor authentication in cPanel before migrating to your new device. 

Don't forget to disable your authenticator app on your old device.