How Can We Help?

How to enable 2 Factor Authentication in Billing (2FA).

You are here:

Using Two-Factor Authentication

Client accounts, users, and admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.

Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically from something you have (such as your phone). Requiring both to log in decreases the threat of a leaked password.

How to enable within the Client Area

To set up Two-Factor Authentication using Time-Based Tokens:

  1. From the Client Area, navigate to Hello, Name! > Security Settings.
  2. Click Click here to Enable.
  3. Select Time Based Tokens.
  4. Click Get Started.
  5. Scan the QR code with an authenticator app like Google Authenticator or Duo Mobile or Twillio Authy
  6. Enter the 6-digit code that the authenticator app generates.
  7. Click Submit.
  8. Record the Backup Code in a safe place.
  9. Click Close.

Lost/Unavailable Device

Clients

If a client needs to gain access to their account without their device, they can use the backup code that was provided when Two-Factor Authentication was configured. The option to Log in using Backup Code is displayed at the bottom of the two-factor authentication page after logging in with the email address and password.

If the backup code is not available, Two-Factor Authentication would need to be disabled for their account within the Admin Area. This can be disabled in the client’s Profile tab at Clients > Manage Users or, prior to WHMCS 8.0, Clients > View/Edit Clients.

Troubleshooting

The code you entered did not match what was expected. Please try again.

Seeing this error when using the Time-Based Token method means that the six characters your device generated do not match the six numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.

You can see the time in the top-right corner of your WHMCS Admin Area. It’s taken directly from your server’s PHP configuration. You must ensure the server time is correct and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.

Syncing the server with NTP to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.

The second factor you supplied was incorrect. Please try again.

Seeing this error when activating the DuoSecurity method for the first time indicates that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity’s clocks.

You can see the time in the top-right corner of your WHMCS admin area. It’s taken directly from your server’s PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.

Syncing the server with NTP to ensure the time is exactly right will resolve this. Most servers will revert to the internal hardware clock when they boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.

Table of Contents