How To Set Up Two-Factor Authentication in cPanel

Posted on December 9, 2020 by David Richards | Updated: September 8, 2023

Category: Tutorials | Tags: 2FA, Access, Account Security, Authentication, Authentication Method, Authentication Token, CLI, Command Line, cPanel, Feature Manager, Google Authenticator, One Time Password, OTP, OTP Authentication, Passcode, Password, Passwords, QR Code, Security, Security Code, Security Policy, Security Practices, Single Factor Authentication, Time-Based One-Time Password, TOTP, Two Factor Authentication, WHM

Reading Time: 8 minutes

What is 2FA

Two-Factor Authentication (or 2FA as it often referred to) is an extra layer of security that is used to provide users an additional level of protection when securing access to an account.

Employing a 2FA mechanism is a vast improvement in security over the Singe-Factor Authentication method of simply employing a username and password. Using this method, accounts that have 2FA enabled, require the user to enter a one-time passcode that is generated by an external application. The 2FA passcode (usually a six-digit number) is required to be input into the passcode field before access is granted. The 2FA input is usually required directly after the username and password are entered by the client.

How To Set Up Two-Factor Authentication in cPanel

Video by David Richards

Why is 2FA Useful?

As the usual methods of Single-Factor authentication have increasingly come under fire due to malware, phishing, spearfishing, credential stuffing, password spraying and other attack vectors, 2FA allows the user to implement a secondary procedure to deter would be malicious actors seeking to actively compromise and gain access to an account. Many online systems currently require users to employ this option before providing access to their accounts to improve the security of the stored data and personal information. Some of these systems include:

Finance
Healthcare
Social Media
Business
Defense
Law Enforcement
US Government

As 2FA has become increasing popular over the last few years, it has gained wide acceptance and use.

Prerequisites & Caveats

The use of 2FA requires a smart device with a time-based one-time password (TOTP) supported app. We suggest using one the following apps, but there are multiple others to choose from.
- For Android™, iOS®, and Blackberry® — Google Authenticator™
- For Android and iOS — Duo Mobile
- For Windows® Phone — Authenticator
Only the root user can implement the 2FA feature in WHM. Once it is enabled in WHM, individual users can enable it if they so choose.
Important: If a user gets the error:
“Failed to set user configuration: The security code is invalid”
An issue may exist with the date and time settings on the server. To correct this problem, use the ntpdate command in the terminal to re-synchronize your server's internal clock with the Network Time Protocol (NTP) server. 2FA requires the server time to be accurate to function properly.
Important: WHM’s 2FA only supports one concurrent session at a time for any user. If you have multiple browser tabs open running cPanel, and log out of one of them, the server will automatically log you out of the other tabs as well.
Warning: Use of this feature may cause some third-party applications to fail. It may also cause applications to improperly store data.
Warning: If you reconfigure 2FA for an existing cPanel account, any current 2FA configurations will no longer produce valid security codes on your local device and will need to be reset.

Enabling 2FA

On WHM

Currently, WHM provides an easy method to enable 2FA to further secure access to the cPanel platform.

First, go to Home » Security Center » Two-Factor Authentication in WHM.

You will notice that 2FA defaults to the OFF setting and begins on the Settings tab. Additionally, you will notice the Issuer text box. This is where you can modify the name of the associated service provider if you like.

Next, click the OFF button which will turn it to the ON setting which enables 2FA. Enter the provider name you would like to use. It defaults to the current server name.

Warning: DO NOT leave the 2FA page once you select this setting as it may enable 2FA without it being properly configured, and you may be locked out of WHM. You can however navigate within this screen without issue.

Next, click on the 3rd tab call Manage My Account. Here is where you will configure 2FA for WHM. On this tab, you'll notice that the status is currently Not Configured. To begin, click on the Set Up Two-Factor Authentication button.

The following image will appear. This is the image you will scan with your smart device app to set up 2FA locally.

Note: Please follow the links noted above to install and configure your individual 2FA application.

Once you scan in this image, a time-based one-time password (TOTP) is created on your smart device.

The 2FA application will now show the OTP code for the site using the name of the server. Use the generated code from the app to enter the OTP into the text box entitled Security Code. Lastly, click on the Configure Two-Factor Authentication button to verify it was set up correctly.

You will then see The 2FA Security Policy is Enabled.

When coming back to WHM, you may see the following screen when trying to log in. This is normal. Enter your username and password in the fields provided and then click the Log in button.

You will then be prompted to enter in your 2FA code. Enter your code from the 2FA app and click the Continue button.

WHM will now open as normal.

On cPanel

Next, we will enable 2FA on a cPanel account. This is similar to the process used in WHM. The next steps will need to be accomplished by the cPanel user as it does no good to have it enabled locally on the server owners mobile device.

Note:

If for some reason the 2FA option is not seen in the users cPanel interface, the server owner will need to enable it by editing the users package in WHM’s Feature Manager noted in the steps below.

Enable 2FA in Feature Manager

Go to Home » Packages » Feature Manager » Feature Lists.

Click on the name of the package in the Manage feature list dropdown menu (in our case, it is named default) and then click the Edit button.

Next, begin typing Two-Factor Authentication in the search box and the Google Authenticator option will be shown. Click the checkbox next to that option and then click the Save button.

This will enable the 2FA option to be seen in the users cPanel account in the Security section as noted in the image below.

Enable 2FA in cPanel

Now, have the user open their cPanel account and click on the Two-Factor Authentication icon in the Security section. As you can see below, it states that 2FA is not configured for this account. Click on the Set Up Two-Factor Authentication button.

This will open a new screen showing the QR code they need to scan into their 2FA application.

Once they have scanned the QR code into their 2FA app, they need to then enter the 2FA code generated by the app into the Security Code text box shown below. Lastly, click the Configure Two-Factor Authentication button to complete the process.

They will then see the confirmation that 2FA is now set up on their cPanel account.

From now on, they will need to use their username, password and 2FA app code to log into cPanel.

Disable 2FA

On WHM

To disable 2FA in WHM, simply reverse the above procedure. First, go to Home » Security Center » Two-Factor Authentication in WHM. Then, click the ON button and click Save.

Next, click on the Manage My Account tab and then, click the Remove Two-Factor Authentication button.

You with then be prompted to confirm you wish to disable 2FA in WHM. Click the Continue button. This will disable 2FA in WHM

On cPanel

To disable 2FA on a users' cPanel account, begin by clicking on the Remove Two-Factor Authentication button.

Next, a confirmation screen will be shown. To continue, click the Remove button.

Then you will see a confirmation screen stating that 2FA was removed.

Clicking Go Back then takes you back to the 2FA screen.

On the Command Line

If you are more comfortable, we can disable 2FA in WHM via the command line using our terminal. Run this command. A returned status of "1" implies the command was a success.

root@host [~]# whmapi1 twofactorauth_disable_policy
---
metadata:
  command: twofactorauth_disable_policy
  reason: OK
  result: 1
  version: 1
root@host [~]#

To disable 2FA on a cPanel user account via the command line in our terminal, run this command using the specific username on the account. A returned status of "1" implies the command was a success.

root@host [~]# uapi --user=cpaneluser TwoFactorAuth remove_user_configuration
---
apiversion: 3
func: remove_user_configuration
module: TwoFactorAuth
result:
  data:
    tfa_removed: 1
  errors: ~
  messages: ~
  metadata: {}

  status: 1
  warnings: ~
root@host [~]#

Conclusion

Two-Factor Authentication is an excellent method to add an extra layer of security to all of your accounts. It requires a dual authentication method to gain access to an account so even if a password is compromised, 2FA is the redundancy you need to protect all of your accounts.

Should you have any issues enabling or disabling this technology, our support staff is always available to assist with any issues related to this article, 24 hours a day, 7 days a week 365 days a year.

We are available, via our ticketing systems at support@liquidweb.com, by phone (at 800-580-4986) or via a LiveChat.
We work hard for you so you don't have to!

About the Author: David Richards

David Richards has been an educator, a Technology Director, and now a Technical Writer for 20+ years. He’s an English major with a love for technology and helping others find ways to use technology more effectively. In his free time, Dave loves to read, play games, and spend time with his family.