How to Configure and Use Two-Factor Authentication in cPanel

Online criminals love to target web servers, and they will exploit any security vulnerability to break into them, steal data, and misuse resources. cPanel & WHM includes many powerful security features to help server administrators keep criminals out, including a robust two-factor authentication (TFA) system.

What is Two-Factor Authentication?

Two-factor authentication enhances server security by asking users to provide a unique code, supplied by an app on their phone, when they log in.

When two-factor authentication is turned off, cPanel & WHM asks users to enter two pieces of information: a public username and a private password. If no one except the user knows the password, it proves they are who they claim to be. Password-based “one-factor” authentication is secure if the password is tough to guess and users really do keep it secret.

However, users sometimes create security vulnerabilities because they choose passwords that are easy to guess, store them insecurely, or share them with other people. TFA adds another authentication factor, a one-time code generated by an app that can’t be guessed or shared because it changes thousands of times a day. 

Entering the code proves the user has the mobile device with the app installed while logging in. They verify their identity with both “something they know,” the password, and “something they have,” the phone the app is installed on.

Two-factor authentication works because the authenticator app and cPanel & WHM share a secret key. cPanel creates the key, which is added to the app via a QR code or entered as a string of digits. With some complicated math, cPanel and the app can then simultaneously generate the same one-time code. When you log in, the codes are compared, and if they match, you’re authenticated.

Two-factor authentication is much more secure than password-based logins, but it is also less convenient. Your users will have to install an app and use it every time they log in. It’s up to the server administrator or hosting provider to decide whether the inconvenience is worth the increase in security.

What You’ll Need to Use Two-Factor Authentication with cPanel

To use two-factor authentication in cPanel, your hosting provider or server administrator must first activate and configure it in WHM. We’ll show you how to do that in the next section.

You will also need a two-factor authentication app to provide the one-time code. There are several available for mobile devices, including:

How to Activate Two-Factor Authentication in WHM

You will find the Two-Factor Authentication configuration page under Security in the WHM sidebar menu. It’s turned off by default, so first, we need to flip the switch to activate it.

The TFA page also includes management and configuration options:

  • The Manage User tab is used to turn TFA on and off for cPanel users who have activated it.
  • The Manage My Account tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we’ll go into more detail in the next section.

In most cases, that’s all you have to do to make two-factor authentication available to cPanel & WHM users. However, if you previously disabled it in Feature Manager, you may need to re-enable it.

Navigate to the Feature Manager under Packages in the sidebar menu. Click edit with the Default list selected in the dropdown menu.

Search for Two-Factor Authentication, make sure the adjacent box is checked, and click the Save button.

How to Configure and Use and TFA in cPanel

When the TFA feature is activated in WHM, a new menu item is added to the Security section of cPanel’s main menu. This is where you will set up TFA for your user or turn it off if you decide you no longer need it.

Click the Set Up Two-Factor Authentication button, and you’ll be taken to a page with the information your mobile authenticator app needs, encoded as a QR code.

How you enter this information is different in each app, but you should look for a plus (+) button in the app’s interface and then select “scan barcode” or “scan QR code.“ Point your phone’s camera at the QR code, and the app will read it.

If your app can’t read the QR code, manually enter the Account and Key information displayed below the QR code.

Your app should display a six-digit code that changes every 30 seconds. To finalize the configuration, enter the code into the Security Code field at the bottom of the page and click Configure Two-Factor Authentication.

That’s it! Next time you log in to cPanel, you’ll be asked to supply a code from your app in addition to your username and password.

Two-factor authentication significantly reduces the likelihood of a server being compromised with shared or lost passwords. It also offers complete protection from password-guessing attacks, including automated brute-force and dictionary attacks. With cPanel & WHM, you can activate TFA in minutes, protecting your server’s resources and reducing the amount of time you spend supporting users with compromised hosting accounts.

As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.