Secure your account with two-step authentication

Two-step authentication (also known as two-factor authentication) provides a more secure login process because when you (or anyone) attempts to sign in, you'll have to provide the following information:

  • The account password.
  • A single-use authorization code generated by a mobile app or an SMS text message.

This is like a cash withdrawal machine at the bank, which requires both a debit card and a personal identification number (PIN). The difference here is that you'll have to use a different authentication code every time you sign in, because an authentication code expires after it's used.

Two-step authentication can be set up for all accounts, but the account owner can't enable it for staff members. Staff members need to set it up for their own accounts.

Enabling two-step authentication

There are two different ways to retrieve authentication codes to use during login. You can either:

Enable two-step authentication for SMS text messages

To enable two-step authentication:

  1. From your Shopify admin, go to Settings > Account.

  2. Scroll to the Accounts and permissions section, then click your name.

  3. Scroll to the Two-step authentication section, then click Enable two-step authentication.

  4. Enter your account password to continue.

  5. A new dialog window opens. Click anywhere in the box labeled SMS Delivery.

  6. Click Next.

  7. Under the header Phone number, enter your mobile phone number.

  8. Click Send Code.

  9. Check your mobile phone for an SMS text message. Retrieve the 6 digit code from the text message, and enter it in step 2 of the dialog window.

  10. Click Confirm.

  11. You'll be provided with a list of 10 recovery code that look like this:

    Enable tfa x4

    Write down your recovery codes and keep them in a safe place. If you lose your mobile device, or don't have it with you one day, then using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. To do that, read about retrieving recovery codes.

  12. Click Set Backup Phone (optional).

  13. Enter an alternate phone number. Only use a trusted number, like your spouse's, business partner's, or a close friend's.

  14. Click Confirm.

Now when you try to log in, two-step authentication will require your mobile device.

Enable two-step authentication with an authenticator app

To enable two-step authentication with an authenticator app, you'll need to download an authenticator app to your mobile device. Recommended mobile devices include:

  • Smartphones.
  • Other mobile devices on iOS, Android, Windows, or BlackBerry operating systems.

The app will be able to scan QR codes and retrieve authentication data for you. Recommended authenticator apps include:

Follow the App installation instructions from a link above carefully. Shopify support cannot help you install these third-party apps on your mobile devices. Once your app is successfully downloaded and set up, continue to Activate the feature in Shopify.

Activate an authenticator app in Shopify

To activate an authenticator app in Shopify:

  1. From your Shopify admin, go to Settings > Account.

  2. Click your name.

  3. Scroll to the section Two-step authentication and click Enable two-step authentication.

  4. Enter your account password to continue.

  5. A new dialog window opens. Click anywhere in the box labeled Authenticator App.

  6. Click Next.

  7. Configure your authentication app by using one of the two methods provided.

    To use the QR code provided, tap Scan QR code and then point your camera at the QR code on your computer screen.

    To use manual entry, click Click here to display to retrieve the secret key. In your mobile app, tap Manual Entry and enter the email address of your Google Account. Then, enter the secret key on your computer screen into the box next to Key and tap Done.

  8. Enter the six-digit code generated by the app to complete step 3 of the dialog window.

  9. Click Confirm.

  10. You'll be provided with a list of 10 recovery code that look like this:

    Enable tfa x4

    Write down your recovery codes and keep them in a safe place. In the event that you lose your mobile device, or don't have it with you one day, using a recovery code is the only way to log in to an account that has two-step authentication enabled.

    > Note: > Each recovery code can be used only once.

    You can retrieve your recovery codes at a later date, but only if you're already logged in. To do that, read about Retrieving Recovery Codes.

  11. Click Set Backup Phone (optional).

  12. Enter an alternate phone number. Only use a trusted number, like your spouse's, business partner's, or a close friend's.

  13. Click Confirm.

Now when you try to log in, two-step authentication will require your mobile device.

Setting a backup phone number (optional)

To set a backup phone number:

  1. From your Shopify admin, go to Settings > Account.

  2. Click your name.

  3. Scroll to the section Two-step authentication and click Enable two-step authentication

  4. Under Backup phone, click Set Up.

  5. Enter your account password to continue.

  6. Click Confirm.

  7. Under the header Phone number, enter your backup mobile phone number.

  8. Click Confirm.

Retrieving Recovery Codes

At any time while logged in to your account, you can retrieve the list of the 10 recovery codes we showed you when you activated two-step authentication. To retrieve the list:

  1. From your Shopify admin, go to Settings > Account.

  2. Click your name / Staff account.

  3. Scroll down to the Two-step authentication header, then click Show recovery codes.

Logging in with two-step authentication

When two-step authentication is enabled, your login experience changes slightly. Here's how to log in to Shopify:

Disabling two-step authentication

If you'd like to return to a simple email/password login, then you need to disable two-step authentication:

  1. From your Shopify admin, go to Settings > Account.

  2. Click your name / Staff account.

  3. Under the Two-step authentication header, Click Disable.

  4. Confirm by clicking Disable Two-Step Authentication.

  5. Enter your account password to complete the disable.

Change your device

If you're planning on getting a new phone, for example, then you can change the device that you use for two-step authentication.

  1. From your Shopify admin, go to Settings > Account.

  2. Click your name / Staff account.

  3. Scroll to the Two-step authentication section, then click Change under Backup phone.

  4. Enter your account password to continue.

  5. Enable two-step authentication on your new device.

Problems logging in with two-step authentication?

When you activated two-step authentication, we generated 10 recovery codes for you. You can use a recovery code instead of the 6-digit code generated by your mobile app to log in.

Locked out of your account?

If you don't have access to your phone, your backup devices, or your recovery codes, then you will be locked out of your account.

  • If you're the account owner

    You will have to wait 1 hour before trying to log in again. If you think that your store has been maliciously taken over, then contact our support team right away.

  • If you're a staff member

    Ask the account owner to disable your two-step authentication so you can log in again.

Want to discuss this page?

Visit the Shopify Community

Ready to start selling online with Shopify?

Try it free