1. bluehost knowledge base

Two-Factor Authentication

Two-factor authentication, also known as 2FA or two-step verification, is an optional feature designed to prevent anyone but you from accessing your hosting account by requiring two forms of identity verification: your password and an authentication code. 2FA is ideal for anyone looking to increase their account security because stealing your password isn't enough for a hacker to access your account. They would also need access to your mobile device or email account, depending on how you set it up.

This article explains everything you need to know about two-factor authentication and how you can use it on your account.

How Does It Work?

Once two-factor authentication is enabled, logging in to your account will work a bit differently. You'll enter your Bluehost username and password as usual, and then you'll be prompted to enter a 2FA authentication code that you'll get from an app on your mobile device or your email. Enter the 6-digit single-use code to complete the login process and access your account. Google Authenticator refreshes the code every 30 seconds, but the refresh rate varies per app. Regardless of the refresh rate, each code is valid for 5 minutes.

You'll be prompted to provide an authentication code in three situations:

  • When a login attempt is made.
  • Upon an attempt to enable or disable two-factor authentication.
  • To validate you're an authorized user on an account when you contact one of our support teams for assistance. In this situation, the authentication code is referred to as a validation token.

Enable Two-Factor Authentication

Two-factor authentication can be enabled separately for the main account password, the billing password, and each hosting password. However, you can only enable it for the password you used to log in to the account.

Mobile Device Setup

Most users prefer to use an authenticator app (like Google Authenticator) on their mobile device to retrieve the code for 2FA. An authenticator app allows you to access the code at any time, even without internet access. After you've installed an authenticator app, follow the steps below to set up 2FA and link your Bluehost account to your device:

  1. Log in to your Bluehost account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Use the authenticator app to scan the QR code or manually enter the Secret Key to add your Bluehost account to your device.
  6. Enter the 6-digit code displayed in the app and click Verify Token.

Email Setup

If you'd prefer to receive authentication codes by email, you can set up 2FA to send authentication codes to the email address of your choice. To make your account more secure, we recommend using an email address different from the one listed in the Account Profile.

  1. Log in to your Bluehost account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Next to "Don't have a smartphone?" Click Click Here to be taken to email setup.
  6. Enter your email address and click Update to have a code emailed to you.
  7. Check your email for the authentication code.
  8. Enter the 6-digit code found in the email and click Verify Token.

How to Disable Two-factor Authentication

You can disable two-factor authentication by following these steps:

  1. Log in to your Bluehost account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Click Disable Two-Factor Authentication.
  6. Enter the current authentication code and click Disable Two-Factor Auth.

Frequently Asked Questions

Why do I need to enable two-factor authentication?

You don't need to enable two-factor authentication; it's entirely optional. However, it's more common than you realize for a hacker to gain access to your password, so requiring an extra step will protect your account from unauthorized access.

Can I use a different two-factor smartphone application to do this?

Yes, there are several authenticator apps that can be used for this purpose; Google Authenticator is just one we prefer.

I entered the code but then I was redirected to the login screen. What's going on?

The code you entered is outdated or invalid. Individual codes are valid for about 5 minutes, even though Google Authenticator will refresh every 30 seconds and other apps may refresh at a different rate. Check the app or your email to be sure you're using the most recent code. If you have multiple accounts set up on the mobile app, make sure you're using the code for the correct account and that there aren't any spaces.

I'm locked out of my account and can't get a new code. What do I do?

This can happen if you've deleted the account from Google Authenticator (or the app of your choice) if you lost your phone, or for various other reasons. But we can help! Please contact our customer service 888-401-4678 for further assistance.

Will this prevent my websites from being hacked?

No. Enabling two-factor authentication prevents unauthorized persons from accessing your hosting account, but won't prevent criminals from hacking directly into your website by exploiting vulnerabilities in outdated scripts or plugins.

What else can I do to strengthen my account security?

There are many ways that you can keep your account safe. Here are a few tips:

  • Keep your software and scripts up to date.
  • Don't reuse passwords.
  • Don't share your account's password with anyone.
  • Use a password manager.
  • Don't click the links in suspicious or unexpected emails.
  • Be careful of what you download from the internet.
  • Beware of phishing attempts