How to Enable Two-Factor Authentication (2FA) for cPanel and Webmail

Two-factor authentication (2FA) adds an extra layer of security to your cPanel and webmail accounts. With 2FA enabled, logging in requires both your password and a time-based one-time code from an authenticator app on your phone — so even if someone steals your password, they can't access your account.

What You'll Need

• Access to your cPanel account (see How to Log In to cPanel)
• A smartphone or tablet
• An authenticator app installed on your device:

Setting Up 2FA in cPanel

Step 1: Log In to cPanel

Navigate to yourdomain.com/cpanel or log in via your Cynet client area (see How to Log In to cPanel).

Step 2: Open Two-Factor Authentication

In the cPanel dashboard, scroll to the Security section and click Two-Factor Authentication.

Step 3: Set Up Your Authenticator App

Click the Set Up Two-Factor Authentication button. cPanel will display:

• A QR code — Scan this with your authenticator app
• A secret key — Use this if you can't scan the QR code (e.g., setting up on the same device)

1. Tap the + (add) button
2. Select Scan QR code (or Enter setup key if typing manually)
3. Point your camera at the QR code on screen

Important: Save the secret key somewhere safe (e.g., a password manager). You'll need it to restore your authenticator if you lose or replace your phone.

Step 4: Verify and Activate

1. In your authenticator app, find the 6-digit code for your cPanel account
2. Enter the code in the Security Code field on the cPanel 2FA setup page
3. Click Configure Two-Factor Authentication

How 2FA Works After Setup

Once 2FA is enabled, your login process changes:

1. Go to yourdomain.com/cpanel and enter your username and password as usual
2. A second screen appears asking for your 6-digit security code
3. Open your authenticator app, find the code, and enter it
4. Click Continue to log in

Tip: Codes refresh every 30 seconds. If a code is about to expire, wait for the next one to avoid timing issues.

2FA for Webmail

Enabling 2FA in cPanel automatically protects your webmail login as well. When you access webmail at yourdomain.com/webmail or yourdomain.com:2096:

1. Enter your email address and password
2. You'll be prompted for the 6-digit code from your authenticator app
3. Enter the code and click Continue

Note: 2FA for webmail uses the same authenticator entry as cPanel — you don't need to set up a separate entry.

Setting Up 2FA for Individual Email Accounts

If you have additional email accounts (e.g., [email protected], [email protected]), each email user can enable 2FA for their own webmail access:

Step 1: Log In to Webmail

Go to yourdomain.com/webmail and log in with the email account's full email address and password.

Step 2: Open Two-Factor Authentication

In the Webmail interface, click the Two-Factor Authentication option in the top navigation or settings area.

Step 3: Follow the Setup Steps

The setup process is the same as in cPanel:

1. Click Set Up Two-Factor Authentication
2. Scan the QR code with your authenticator app
3. Enter the 6-digit verification code
4. Click Configure Two-Factor Authentication

Disabling 2FA

If you need to remove 2FA (e.g., switching phones or troubleshooting):

From cPanel

1. Log in to cPanel
2. Go to Security → Two-Factor Authentication
3. Click Remove Two-Factor Authentication
4. Confirm the removal

From Webmail (for email accounts)

1. Log in to webmail
2. Go to Two-Factor Authentication
3. Click Remove Two-Factor Authentication
4. Confirm the removal

Warning: After removing 2FA, your account is protected by password only. Re-enable 2FA as soon as possible if you're switching to a new device.

Reconfiguring 2FA on a New Phone

If you get a new phone or reset your device:

Option 1: Use the Saved Secret Key

1. Install your authenticator app on the new phone
2. Add a new account manually using the secret key you saved during setup
3. Your new phone will generate valid codes immediately

Option 2: Remove and Re-setup

1. Log in to cPanel (if you still have access via the old phone or a logged-in session)
2. Go to Security → Two-Factor Authentication
3. Click Remove Two-Factor Authentication
4. Set it up again with your new phone by following the setup steps above

Option 3: Contact Support

If you're completely locked out (lost phone, no saved secret key, no active session):

1. Contact Cynet Support via live chat or email
2. We'll verify your identity and disable 2FA on your account
3. You can then log in and set up 2FA again with your new device

Best Practices

• Save your secret key in a password manager when setting up 2FA — this is your recovery backup
• Use Authy if you want cloud-synced backup of your 2FA codes across multiple devices
• Enable 2FA on your Cynet client area as well for full account protection
• Don't share screenshots of your QR code or secret key — treat them like passwords
• Set up 2FA for all email accounts, not just the main cPanel login

Troubleshooting

"Invalid security code" when logging in

• Make sure the time on your phone is correct — 2FA codes are time-based. Enable automatic date & time in your phone's settings
• Enter the code quickly before it refreshes (codes change every 30 seconds)
• Ensure you're using the correct authenticator entry — if you have multiple accounts, pick the right one

Locked out of cPanel after enabling 2FA

• Try the code again — make sure your phone's clock is synced
• Use the secret key you saved to add the account to another authenticator app
• If you're completely locked out, contact Cynet Support to have 2FA disabled on your account

2FA prompt not appearing at login

• 2FA may not be fully configured — log in to cPanel and check Security → Two-Factor Authentication to verify the status
• Clear your browser cache and try again
• Try a different browser or incognito mode

Lost phone with no backup

• Contact Cynet Support immediately — we'll verify your identity and remove 2FA so you can regain access
• After regaining access, set up 2FA again and save the secret key this time