Secure your account with two-step authentication

Two-step authentication (also known as two-factor authentication) provides a more secure login process because when you (or anyone) attempts to sign in, you'll have to provide the following information:

  • The account password.
  • A single-use authorization code generated by a mobile app or an SMS text message, or authentication through security key or biometric sensors.

This is like a cash withdrawal machine at the bank, which requires both a debit card and a personal identification number (PIN). The difference here is that you'll have to use a different authentication code every time you sign in, because an authentication code expires after it's used.

Two-step authentication can be set up for all accounts, but the store owner can't enable it for staff members. Staff members need to set it up for their own accounts.

Enabling two-step authentication

There are different ways to retrieve authentication codes to use during login:

Enable two-step authentication for SMS text messages

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, click Enable SMS authentication.

  4. Select a country code and enter your phone number in the field provided.

  5. Click Send authentication code.

  6. Check your mobile phone for an SMS text message. Retrieve the 6 digit code from the text message, and enter it under Authentication code.

  7. Enter your current password under Password confirmation and click Enable.

  8. You're provided with a list of 10 recovery codes. Save your recovery codes in a safe place and close the dialog window.

    If you don't have access to your mobile device, then using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. See Retrieving recovery codes for instructions on how to do that.

Now when you try to log in, two-step authentication will require your mobile device.

Enable two-step authentication with an authenticator app

To enable two-step authentication with an authenticator app, you'll need to download an authenticator app to your mobile device. Recommended mobile devices include:

  • Smartphones.
  • Other mobile devices on iOS, Android, Windows, or BlackBerry operating systems.

The app will be able to scan QR codes and retrieve authentication data for you. Recommended authenticator apps include:

Follow the App installation instructions from a link above carefully. Shopify support cannot help you install these third-party apps on your mobile devices. Once your app is successfully downloaded and set up, continue to activate the feature in Shopify.

Activate an authenticator app in Shopify

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, click Enable app authentication.

  4. Configure your authentication app by using one of the following methods:

    • To use the QR code provided, tap Scan a barcode, and then point your camera at the QR code on your computer screen.
    • To use manual entry, tap Enter a provided key and enter the email address of your Google Account. Then, enter the secret key on your computer screen into the box next to Key and tap ADD.
  5. Enter the six-digit code generated by the authenticator app to complete step 3 of the dialog window.

  6. Enter your current password in the space provided and click Enable.

  7. You're provided with a list of 10 recovery codes. Save your recovery codes in a safe place and close the dialog window.

    If you don't have access to your mobile device, then using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. See Retrieving recovery codes for instructions on how to do that.

Now when you try to log in, two-step authentication will require your mobile device.

Enable two-step authentication with security keys

You can use a security key that's compatible with the WebAuthn standard as a second factor for logging in to your account. To enable two-step authentication with a security key, you need a compatible browser and a compatible security key. Enrolling a new security key on your account will prompt you to activate it whenever you log in.

You can enroll multiple security keys and multiple two-step authentication methods to avoid being locked out of your account.

The following browsers are compatible with security keys:

  • Google Chrome for desktop version 67 and above
  • Mozilla Firefox for desktop version 60 and above
  • Google Chrome for Android version 73 and above
  • Mozilla Firefox for Android version 66 and above
  • Microsoft Edge version 18 and above
  • Opera version 54 and above
  • Safari Technology Preview 83 or later

Recommended device manufacturers include:

Enroll a compatible device to your Shopify account

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, click Enroll a new device.

  4. In the fields provided, enter a nickname for the device to enroll and your account password.

  5. Click Continue.

  6. You are prompted by your browser to activate your security key.

  7. Activate your security key. You are provided with a list of 10 recovery codes, which look like this:

  8. Write down your recovery codes and keep them in a safe place. If you don't have access to your security key, then using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. See Retrieving recovery codes for instructions on how to do that.

After you've completed this setup, two-step authentication will require your security key.

Setting a backup phone number (optional)

After you've set up two-step authentication on a device, you can set up a backup mobile phone to receive authentication codes by SMS. This is useful when your primary mobile device is unavailable.

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, click Enable backup phone

  4. Select a country code and enter your backup phone number in the field provided.

  5. Click Confirm.

  6. Check your mobile phone for an SMS text message. Retrieve the 6 digit code from the text message, and enter it under Authentication code.

  7. Enter your current password under Password confirmation and click Enable.

Retrieving recovery codes

At any time while logged in to your account, you can retrieve the list of the 10 recovery codes we showed you when you activated two-step authentication.

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, click View recovery codes.

Logging in with two-step authentication

When two-step authentication is enabled, your login experience changes slightly.

Steps:

Disabling two-step authentication

Steps:

  1. From your Shopify admin, click your username and account picture.
  2. Do one of the following:

    • Click Your account > Security.
    • Click Your profile.
  3. In the Two-step authentication section, use the disable button for the authentication method you want to disable. For example, to disable authentication using the authenticator app, click Disable app authentication.

  4. Enter your password when prompted and then click Disable.

Problems logging in with two-step authentication?

When you activated two-step authentication, we generated 10 recovery codes for you. You can use a recovery code instead of the 6-digit code generated by your mobile app to log in.

Locked out of your account?

If you don't have access to your phone, your backup devices, or your recovery codes, then you will be locked out of your account.

  • If you're the store owner

    You will have to wait 1 hour before trying to log in again. If you think that your store has been maliciously taken over, then contact our support team right away.

  • If you're a staff member

    Ask the store owner to disable your two-step authentication so you can log in again.

Ready to start selling with Shopify?

Try it free