Two Factor Authentication

We are WHMCS, the complete web hosting automation solution

What is Two-Factor Authentication?

Two-factor authentication adds an additional layer of security by introducing a second step to your login. It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone). Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.

Why do you need it?

Passwords are increasingly easy to compromise. They can often be guessed or leaked, they usually don’t change very often, and despite advice otherwise, many of us have favorite passwords that we use for more than one thing. So Two-factor authentication gives you additional security because your password alone no longer allows access to your account.

How does it work?

There are many different options available, and in WHMCS we support more than one so you have the choice. But one of the most common and simplest to use is time based one-time passwords. With these, in addition to your regular username & password, you also have to enter a 6 digit code that changes every 30 seconds. Only your token device (typically a mobile smartphone) will know your secret key, and be able to generate valid one time passwords for your account. And so your account is far safer.


Duo Security enables your users to secure their logins and transactions using their smartphones. The Duo Mobile smartphone application is free and available on all major smartphone platforms, and lets users easily generate passcodes without the cost and hassle of hardware tokens. iPhone, Android, BlackBerry, and Windows Phone users can use Duo Push which “pushes” login or transaction details to the phone, allowing for immediate, one-tap approval.

Older devices like cellphones and landlines are also fully supported. Duo can send passcodes via text message, or place a phone call — users just press a button on their keypad to authenticate.

Secure & Reliable

Duo Security takes security, reliability, and privacy very seriously. The service operates completely independently from primary authentication, which mean that Duo never sees users’ passwords or any personally identifying information. Duo is hosted by PCI DSS Level 1- and ISO 27001‑certified, SAS70 Type II‑audited service providers, across multiple geographic regions and independent power grids.

To find out more and to create an account, visit

Time Based Tokens

WHMCS’ Time Based Tokens work with any OATH software such as Google Authentication for Android, or Apple’s OATH Token App for example.
Once activated, users will be required to provide a second form of Authentication that only they have access to. This Authentication comes
in the form of a 6 digit passcode that expires every 30 seconds.

How does it work?

Upon initial signing once Token Based Two Factor Authentication is actived, users will be presented with a QR code to scan using their smartphone or tablet device.
Once this is scanned, their device will then store authorization to generate a pass code and authentication to your WHMCS installation.
Every 30 seconds, a new 6 digit code will be generated through their OATH application of choice which will be used as their second form
of Authentication during login to your WHMCS.

Why do I need this?

Many individuals tend to use the same password for all of their login points. In the event that a malicious users gains access to one
login of you or your staff, they could potentially gain access to all other login-required sites – Like your WHMCS.

Two-Factor Authentication puts a stop to that by requiring users who succesfully login in with a user & password combintation to use
a physical device they posses for futher verification.

Token Based Two-Factor Authentication is just $1.50 a month for unlimited users

Yubikey Authentication

A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords

» Seamless Integration into WHMCS Authentication
» Works instantly, no need to re-type pass codes from a device
» Identified as a USB-keyboard, no client software or drivers needed
» Minimzed size; 2mm thin, 3 grams
» Integration within minutes with free and open source server software
»Two slots for multiple configurations: OATH, Challenge-Response etc
» Manufactured in USA and Sweden with best practice security processes
» Practically indestrubtible; waterproof, crush safe, no battery

Yubikeys start from just $40 per user