Secure your account with two-step authentication

Two-step authentication (also known as two-factor authentication) provides a more secure login process because when you (or anyone) attempts to sign in, you'll have to provide two pieces of information:

  • the account password
  • a single-use authorization code generated by a mobile app or an SMS text message.

This is like a cash withdrawal machine at the bank, which requires both a debit card and a personal identification number (PIN). The difference here is that you'll have to use a different authentication code every time you sign in, because an authentication code expires after it's used.

You can enable two-step authentication on any or all staff accounts. For example, you might use two-step authentication as the account owner, but not require your employees to enable it.

Enabling two-step authentication

There are two different ways to retrieve authentication codes to use during login. You can either:

Enable two-step authentication for SMS text messages

There are two steps to safely enabling two-step authentication for SMS text messages. Each staff member using two-step authentication should do these steps.

Step 1. Activate the feature in Shopify

Step 2. Alternate ways to sign in (optional)

Step 1. Activate the feature in Shopify

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name.

  3. Scroll to the section Two-step authentication and click Enable two-step authentication:

    Enable tfa 2
  4. Enter your account password to continue.

  5. A new dialog window opens. Click anywhere in the box labeled SMS Delivery.

    Enable tfa x2
  6. Click Next.

  7. Under the header Phone number, enter your mobile phone number.

  8. Click Send Code.

  9. Check your mobile phone for an SMS text message. Retrieve the 6 digit code from the text message, and enter it in step 2 of the dialog window.

    Enable tfa x3
  10. Click Confirm.

  11. You'll be provided with a list of 10 recovery code that look like this:

    Enable tfa x4

    Write down your recovery codes and keep them in a safe place. In the event that you lose your mobile device, or don't have it with you one day, using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    Note

    Each recovery code can be used only once.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. To do that, read about retrieving recovery codes.

  12. Click Set Backup Phone (optional).

  13. Enter an alternate phone number. Only use a trusted number, like your spouse's, business partner's, or a close friend's.

    Enable tfa x5
  14. Click Confirm.

That's it. Now when you try to log in, two-step authentication will require your mobile device. Learn more.

Enable two-step authentication with an authenticator app

There are two steps to safely enabling two-step authentication for an authenticator app. Each staff member using two-step authentication should do these steps.

Step 1. Download and install an authenticator app

Step 2. Alternate ways to sign in (optional)

Download and install an authenticator app

You'll need to download an authenticator app to your mobile device. Recommended mobile devices include:

  • smartphones
  • other mobile devices on iOS, Android, Windows, or BlackBerry operating systems.

The app will be able to scan QR codes and retrieve authentication data for you. Here are some recommended authenticator apps, you can follow the links to download and install them:

Tip

The authenticator app for BlackBerry devices does not scan QR notes – we'll provide a secret key for you to enter manually.


Follow the App installation instructions from a link above carefully. Shopify support cannot help you install these third-party apps on your mobile devices. Once your app is successfully downloaded and set up, continue to Activate the feature in Shopify.

Activate the feature in Shopify

Now that you've downloaded and configured the authenticator app to work on your mobile device, you'll be able to activate two-step authentication in Shopify. To activate it:

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name.

  3. Scroll to the section Two-step authentication and click Enable two-step authentication:

    Enable tfa 2
  4. Enter your account password to continue.

  5. A new dialog window opens. Click anywhere in the box labeled Authenticator App.

    Enable tfa y1
  6. Click Next.

  7. A dialog window will open that looks like this:

    Enable tfa 3

    Note

    If you haven't already downloaded an authenticator app, follow this link for instructions before continuing.

  8. Complete step 2 of the dialog window.

* Using QR code: in the app, tap Scan QR code and then point your camera at the QR code on your computer screen. * Using Manual Entry: in Shopify, click Click here to display to retrieve the secret key. Then in your mobile app, tap Manual Entry and enter the email address of your Google Account. Then, enter the secret key on your computer screen into the box next to Key and tap Done.

  1. Enter the six-digit code generated by the app to complete step 3 of the dialog window.

  2. Click Confirm.

  3. You'll be provided with a list of 10 recovery code that look like this:

    Enable tfa 4

    Write down your recovery codes and keep them in a safe place. In the event that you lose your mobile device, or don't have it with you one day, using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    Note

    Each recovery code can be used only once.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. To do that, read about Retrieving Recovery Codes.

  4. Click Set Backup Phone (optional).

  5. Enter an alternate phone number. Only use a trusted number, like your spouse's, business partner's, or a close friend's.

    Enable tfa x5
  6. Click Confirm.

That's it. Now when you try to log in, two-step authentication will require your mobile device. Learn more.

Alternate ways to sign in

This section covers options that you can take advantage of for:

Setting a backup phone number (optional)

Note

You must already be logged in to set up a backup phone number.

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name.

  3. Scroll to the section Two-step authentication and click Enable two-step authentication

  4. Beside Backup phone, click Setup.

    Enable tfa x6
  5. Enter your account password to continue.

  6. Click Confirm.

  7. Under the header Phone number, enter your backup mobile phone number.

  8. Click Confirm.

Retrieving Recovery Codes

Note

You must already be logged in to retrieve a copy of your recovery codes.

At any time, while logged in to your account, you can retrieve the list of the 10 recovery codes we showed you when you activated two-step authentication. To retrieve the list:

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name / Staff account.

  3. Scroll down to the Two-step authentication header, then click Show:

    Recover codes 1

Logging in with two-step authentication

When two-step authentication is enabled, your login experience changes slightly. Here's how to log in to Shopify:

Disabling two-step authentication

If you'd like to return to a simple email/password login, you must disable two-step authentication:

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name / Staff account.

  3. Under the Two-step authentication header, Click Disable.

    Disable tfa 1
  4. Confirm by clicking Disable Two-Step Authentication.

    Disable tfa 2
  5. Enter your account password to complete the disable.

Change your device

If you're planning on getting a new phone, for example, you can change the device that you use for two-step authentication.

  1. From your Shopify admin, click Settings, then click Account.

  2. Click your name / Staff account.

  3. Under the Two-step authentication header, Click Change device.

    Change 1
  4. Enter your account password to continue.

  5. Follow this link and do the 3 main steps required to enable two-step authentication on your new device.

Note

Once your new mobile device is set up, the previous device will no longer function for two-step authentication on this Shopify account.

Problems logging in with two-step authentication?

When you activated two-step authentication, we generated 10 recovery codes for you. You can use a recovery code instead of the 6-digit code generated by your mobile app to log in.

Note

Each recovery code can be used only once.

Locked out of your account?

If you don't have access to your phone, your backup devices, or your recovery codes, you will be locked out of your account.

  • If you're the account owner You will have to wait 1 hour before trying to log in again. If you think that your store has been maliciously taken over, then contact our support team at once.
  • If you're a staff member Ask the account owner to disable your two-step authentication so you can log in again.

Want to discuss this page?

Visit the Shopify Community

Ready to start selling online with Shopify?

Try it free