HostMonster Web Hosting Help

Two-Factor Authentication

Two-factor authentication, also known as 2FA or two-step verification, is an optional feature designed to prevent anyone but you from accessing your hosting account by requiring two forms of identity verification: your password and an authentication code. 2FA is ideal for anyone looking to increase their account security because stealing your password isn't enough for a hacker to access your account. They would also need access to your mobile device or email account, depending on how you set it up.

This article explains everything you need to know about two-factor authentication and how you can use it on your account.



How Does It Work?

Once two-factor authentication is enabled, logging in to your account will work a bit differently. You'll enter your HostMonster username and password as usual, and then you'll be prompted to enter a 2FA authentication code which you'll get from an app on your mobile device or your email. Enter the 6-digit single-use code to complete the login process and access your account. Google Authenticator refreshes the code every 30 seconds, but the refresh rate varies per app. Regardless of the refresh rate, each code is valid for 5 minutes.

You'll be prompted to provide an authentication code in three situations:

  • When a login attempt is made.
  • Upon an attempt to enable or disable two-factor authentication.
  • To validate you're an authorized user on an account when you contact one of our support teams for assistance. In this situation, the authentication code is referred to as a validation token.

Enable Two-Factor Authentication

Two-factor authentication can be enabled separately for the main account password, the billing password, and each hosting password. However, you can only enable it for the password you used to log in to the account.

Mobile Device Setup

Most users prefer to use an authenticator app (like Google Authenticator) on their mobile device to retrieve the code for 2FA. An authenticator app allows you to access the code at any time, even without internet access. After you've installed an authenticator app, follow the steps below to set up 2FA and link your HostMonster account to your device:

  1. Log in to your HostMonster account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Use the authenticator app to scan the QR code or manually enter the Secret Key to add your HostMonster account to your device.
  6. Enter the 6-digit code displayed in the app and click Verify Token.

Email Setup

If you'd prefer to receive authentication codes by email, you can set up 2FA to send authentication codes to the email address of your choice. To make your account more secure, we recommend using an email address different from the one listed in the Account Profile.

  1. Log in to your HostMonster account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Next to "Don't have a smartphone?" Click Click Here to be taken to email setup.
  6. Enter your email address and click Update to have a code emailed to you.
  7. Check your email for the authentication code.
  8. Enter the 6-digit code found in the email and click Verify Token.

How to Disable Two-factor Authentication

You can disable two-factor authentication by following these steps:

  1. Log in to your HostMonster account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
  5. Click Disable Two-Factor Authentication.
  6. Enter the current authentication code and click Disable Two-Factor Auth.

Frequently Asked Questions

Why do I need to enable two-factor authentication?

You don't need to enable two-factor authentication; it's entirely optional. However, it's more common than you realize for a hacker to gain access to your password, so requiring an extra step will protect your account from unauthorized access.

Can I use a different two-factor smartphone application to do this?

Yes, there are several authenticator apps that can be used for this purpose; Google Authenticator is just one we prefer.


I entered the code but then I was redirected to the login screen. What's going on?

The code you entered is outdated or invalid. Individual codes are valid for about 5 minutes, even though Google Authenticator will refresh every 30 seconds and other apps may refresh at a different rate. Check the app or your email to be sure you're using the most recent code. If you have multiple accounts set up on the mobile app, make sure you're using the code for the correct account and that there aren't any spaces.


I'm locked out of my account and can't get a new code. What do I do?

This can happen if you've deleted the account from Google Authenticator (or the app of your choice), if you lost your phone, or for various other reasons. But we can help! Please contact the Billing Department for further assistance.


Will this prevent my websites from being hacked?

No. Enabling two-factor authentication prevents unauthorized persons from accessing your hosting account, but won't prevent criminals from hacking directly into your website by exploiting vulnerabilities in outdated scripts or plugins.


What else can I do to strengthen my account security?

There are many ways that you can keep your account safe. Here are a few tips:

  • Keep your software and scripts up to date.
  • Don't reuse passwords.
  • Don't share your account’s password with anyone.
  • Use a password manager.
  • Don't click the links in suspicious or unexpected emails.
  • Be careful of what you download from the internet.
  • Beware of phishing attempts
Knowledgebase Article 24,702 views bookmark tags: account password security


Was this resource helpful?

Did this resolve your issue?


Please add any other comments or suggestions about this content:





Recommended Help Content

Accessing your account is as easy as entering your domain name and password on the login screen, or clicking one of our Single Sign-On options.
Knowledgebase Article 31,294 views tags: authentication factor login management password sign single sso

Validation tokens are an easy way to validate you're an authorized user.
Knowledgebase Article 14,615 views tags: account password security

What can I do to increase my Site Security while hosting with HostMonster?
Knowledgebase Article 229,556 views tags: antivirus basic hacked keyloggers malware php security site

Related Help Content

Strong passwords: How to create and use them.
Knowledgebase Article 298,225 views tags: create increase measure meter pass password strength strong

Where do I Change my Mailbox (Size) Quota? How do I Increase or Decrease Mailbox (Storage) Quota?
Knowledgebase Article 220,511 views tags: account change decrease email increase mailbox quota size

Instructions for restting your Email Account's Password through cPanel or Webmail
Knowledgebase Article 319,836 views tags: email forgot password reset webmail

This article explains the different password types for your hostmonster account.
Knowledgebase Article 44,055 views tags: billing cpanel hosting main password

This article will explain how to change the password for a database in the event that the original password is lost.
Knowledgebase Article 60,360 views tags: database mysql password

How to use use the FTP Account tool to create additional FTP Accounts. This is useful for granting FTP access to your account without giving anyone your cPanel password.
Video "How-to" Tutorial 701,781 views tags: account accounts cpanelutilities ftp login publish upload

What should I do if I am having problems with multiple password prompts on my password protected directory?
Knowledgebase Article 94,533 views tags: folder password protect

How do I change my Control Panel password?
Knowledgebase Article 540,963 views tags: change cpanel password passwords protect