Two-factor authentication (2FA) is an additional layer of protection to secure your account against unauthorized logins even in the event that someone knows your password. SiteHost recommends 2FA be enabled for all accounts.
With 2FA enabled, you are required to provide something you know (your password) and something you have (your mobile phone) in order to log in.
You can choose between using an Authenticator App, or setup Email Authentication. Both approaches are similar in that you will receive a 6 digit code from your chosen layer of protection, and will be prompted to enter this code during login.
An Authenticator App is an application that supports TOTP (Time-based one-time passwords), like Google Authenticator (on iOS and Android) or Authy. Your Authenticator App will generate a new code periodically which you will be prompted to retrieve during login.
We strongly recommend using an Authenticator App as your 2FA method.
If you aren't able to setup an Authenticator App just yet, you can enable Email Authentication. When you login, a code will be sent to your email address after entering your username and password.
This is best used as an introductory 2FA method, for long-term use the Authenticator App is much more secure.
Two factor authentication can be setup from your Account settings in the SiteHost Control Panel.
If you are an account administrator, you'll have the option to enforce either Authenticator App or Email Authentication 2FA for all contacts on your account. This option can be found in the SiteHost Control Panel at Account » Preferences.
When you enforce Authenticator App 2FA, all contacts that have a login for your account will receive an email notification, and will then have 48 Hours to activate 2FA. If they do not activate 2FA within this grace period they will lose access to the account and will need to have 2FA reset for them by an administrator. While this setting is in effect, users lose the ability to disable 2FA for themselves.
If you choose to enforce Email Authentication instead, this 2FA method will be activated on all contacts across your account immediately. On their next login they'll receive the 6-digit code and be asked to provide it. With this enforced, contacts can always update their 2FA method to use an Authenticator App as it is more secure.
Users who have activated 2FA will be displayed with a green lock icon next to their username on the contacts page, so its easy to see 2FA coverage for your account at a glance.
Admin users are unable to reset their own 2FA. If you are an admin and lose access to your account, please contact the support team.
If an account contact loses their Authenticator App, the Account administrators have the ability to reset 2FA for users who lost access to their 2FA device, or have failed to activate 2FA within the grace period.
When viewing a contact's 2FA method you will see an option to Reset 2FA Method. Once reset the contact will receive an email notification, and will have another 48 Hours to activate 2FA.
You have two recovery options if you lose access to your account:
You have added a 2FA method but have not finished the enrolment process. Click on the method and follow the instructions to activate the method.
Tokens are valid for 30 seconds each, aligned to epoch time. The standard implementation allows the code before and after the current code to account for time drift between your device and our systems.