How to Set Up Two-Factor Authentication

Why two-factor authentication matters

Two-factor authentication (2FA) adds an extra protection layer to your accounts. Instead of relying on a password alone, 2FA requires a second factor - usually a code from your phone. Even if someone learns your password, they cannot access the account without the second factor.

Statistics show 2FA blocks 99.9% of automated attacks and 96% of phishing attacks. With the rising number of cyber threats in 2026, 2FA is not an option but a necessity for every serious online account.

Types of two-factor authentication

• TOTP (Time-based One-Time Password): An authenticator app generates a six-digit code that changes every 30 seconds. The most secure and most recommended method.
• SMS codes: A code is sent to your phone via SMS. Less secure than TOTP because it is vulnerable to SIM swap attacks, but better than nothing.
• Email codes: A code is sent to your email. Useful as a backup method, but should not be the primary 2FA, since an attacker who compromises your email gets access to everything.
• Hardware keys: A physical device (like YubiKey) that connects via USB or NFC. The most secure method, but requires buying the device.
• Push notifications: The app sends a push notification to the phone that you approve with one tap. Used by Google, Microsoft, and other large services.

Authenticator apps - recommendations

For the TOTP method, you need an authenticator app on your phone. The best options:

Google Authenticator

• Free, simple, works on Android and iOS.
• Recently added cloud backup of codes via the Google account.
• Minimalist interface without unnecessary features.

Microsoft Authenticator

• In addition to TOTP codes, supports passwordless login for Microsoft accounts.
• Cloud backup and recovery of codes.
• Built-in password manager functionality.

Authy

• Sync codes across multiple devices.
• Encrypted cloud backup - if you lose the phone, codes are not lost.
• Desktop app in addition to mobile.

2FA for WordPress

WordPress is the most common target for hackers because it powers over 40% of all sites. Setting up 2FA on WordPress is simple with the right plugin.

Step by step with the WP 2FA plugin

• 1. Install the "WP 2FA – Two-factor Authentication" plugin from the WordPress repository (free).
• 2. Activate the plugin and start the setup wizard.
• 3. Choose the 2FA methods you want to offer users (TOTP, email, backup codes).
• 4. Decide whether 2FA is mandatory for all users or optional.
• 5. Open the authenticator app on the phone and scan the QR code the plugin displays.
• 6. Enter the six-digit code from the app to confirm setup.
• 7. Save the backup codes in a safe place - you will need them if you lose access to the phone.

For additional security, also consider Wordfence Security, which in addition to 2FA offers firewall, malware scanning, and brute-force protection.

2FA for cPanel

cPanel has built-in support for two-factor authentication. How to enable it:

• 1. Log in to cPanel (typically at yourdomain.com:2083).
• 2. Find the "Security" section and click "Two-Factor Authentication".
• 3. Click "Set Up Two-Factor Authentication".
• 4. Open the authenticator app and scan the QR code.
• 5. Enter the six-digit code for verification.
• 6. Click "Configure Two-Factor Authentication" to finish setup.

From this moment on, every time you log in to cPanel, in addition to the password you will need to enter a code from the authenticator app. This protects your hosting account from unauthorized access even if your password is compromised.

2FA for email accounts

Your email account is often the "key to all other accounts" because it is used for password resets. Protecting email with 2FA is critically important.

Gmail / Google Workspace

• Go to myaccount.google.com → Security → 2-Step Verification.
• Google supports push notifications, TOTP codes, SMS, and hardware keys.
• Recommendation: use Google Authenticator or a hardware key as the primary method.

Microsoft 365 / Outlook

• Go to account.microsoft.com → Security → Advanced security options.
• Enable two-step verification and follow the instructions.
• Microsoft Authenticator is the best choice for the Microsoft ecosystem.

Webmail on BeoHosting

• Enable 2FA through cPanel (as described above) - this protects access to all email accounts on your hosting plan.
• For additional protection, use strong passwords for each email account separately.

What if you lose access to the second factor

Losing the phone with the authenticator app is a common fear. How to prepare:

• Save backup codes: Most services give 8-10 one-time backup codes when you set up 2FA. Print them and keep them in a safe place.
• Use Authy: Unlike Google Authenticator, Authy syncs codes in the cloud, so you can restore them on a new phone.
• Register multiple devices: If possible, scan the QR code on two phones or tablets.
• Contact support: Hosting providers and services have procedures to recover the account if 2FA is lost. The process typically requires identity verification.

Conclusion

Two-factor authentication is the simplest and most effective way to drastically improve the security of your online accounts. Setup takes only a few minutes, and the protection is huge. Start with the most important accounts - email, hosting (cPanel), and WordPress admin - and expand to other services. BeoHosting supports 2FA on all cPanel hosting plans and recommends activating this feature for all users.