Introduction

Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically something you have (such as your phone). Since you require both to log in, this decreases the threat of a leaked password.

WHMCS includes three Two-Factor Authentication services.

Time Based Tokens

One of the most common and simplest forms of Two-Factor Authentication is Time Based Tokens. With Time Based Tokens, in addition to your regular username and password, you also have to enter a 6-digit code that regenerates every 30 seconds. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account. We recommend enabling Time Based Tokens (WHMCS enables this by default).

DuoSecurity

With DuoSecurity, the system will prompt you for a phone number and present an option to receive a text or phone call. After you receive the text or phone call, input the authentication code to proceed. A second optional page at initial login will prompt to download the DuoSecurity mobile application. This application performs push notifications, allowing you to restrict or allow access under your user from your phone.

For more information, see Duo Security.

YubiKey

YubiKey creates a one time password in a USB drive that acts as a keyboard to your computer. These are physical devices that you must purchase from Yubico directly. A purchase link is available in WHMCS.

Enabling Two-Factor Authentication

Time Based Tokens Configuration

To enable Two-Factor Authentication on an installation, follow the steps below:

1. From the Admin Area, begin by navigating to Setup > Staff Management > Two-Factor Authentication.
2. Click the Activate button under the service that you would like to enable.
3. Select one or both of the Enable for use by Clients and Enable for use by Administrative Users options.
4. If applicable, complete any additional Configuration Settings.
5. Click on the Save button.

You can repeat these steps for each service that you would like to enable.

Global Two-Factor Authentication Settings

The Global Two-Factor Authentication Settings options allow you to forcibly enable Two-Factor Authentication for Client or Administrator Users on their next login.

To use this feature, select your options and click the Save Changes button. If a user has not yet configured Two-Factor Authentication, the system will force them to the next time they sign in to WHMCS.

Using Two-Factor Authentication

Clients and Administrator Users can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.

Within the Client Area

Configuring Time Based Tokens in Client Area

The following steps demonstrate how Client Users can set up Two-Factor Authentication on their accounts using the Time Based Tokens service:

1. From the Client Area, navigate to Hello, Name! > Security Settings.
2. Click on the Click here to Enable button.
3. Select the Time Based Tokens service.
4. Click on the Get Started button.
5. Scan the QR code with an authenticator app, such as Google Authenticator or Duo Mobile.
6. Enter in the 6-digit code that the authenticator app generates.
7. Click on the Submit button.
8. Record the Backup Code in a safe place.
9. Click the Close button.

Within the Admin Area

Configuring Time Based Tokens in Admin Area

Administrator Users can perform the following actions to set up Two-Factor Authentication on their accounts using the Time Based Tokens service:

1. From the Admin Area, navigate to the My Account section.
2. Toggle the Two-Factor Authentication setting to On.
3. Select the Time Based Tokens service.
4. Click on the Get Started button.
5. Scan the QR code with an authenticator app, such as Google Authenticator or Duo Mobile.
6. Enter in the 6-digit code that the authenticator app generates.
7. Click on the Submit button.
8. Record the Backup Code in a safe place.
9. Click the Close button.

Troubleshooting

The code you entered did not match what was expected. Please try again.

Seeing this error when using the time based tokens method means that the 6 characters your device generated do not match the 6 numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.

You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct, and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.

Syncing the server with NTP to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.

The second factor you supplied was incorrect. Please try again.

Seeing this error when activating the DuoSecurity method for the first time means that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.

You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.

Syncing the server with NTP to ensure the time is exactly right will resolve this. Most servers will revert to the internal hardware clock when they boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.