Bluehost Web Hosting Help

Two-Factor Authentication

Two-factor authentication, also known as 2FA or two-step verification, is an optional feature designed to prevent anyone but you from accessing your hosting account by requiring two forms of identity verification: your password and an authentication code. 2FA is ideal for anyone looking to increase their account security because stealing your password isn't enough for a hacker to access your account. They would also need access to your mobile device or email account, depending on how you set it up.

This article explains everything you need to know about two-factor authentication and how you can use it on your account.



How Does It Work?

Once two-factor authentication is enabled, logging in to your account will work a bit differently. You'll enter your Bluehost username and password as usual, and then you'll be prompted to enter a 2FA authentication code which you'll get from an app on your mobile device or your email. Enter the 6-digit single-use code to complete the login process and access your account. Google Authenticator refreshes the code every 30 seconds, but the refresh rate varies per app. Regardless of the refresh rate, each code is valid for 5 minutes.

You'll be prompted to provide an authentication code in three situations:

  • When a login attempt is made.
  • Upon an attempt to enable or disable two-factor authentication.
  • To validate you're an authorized user on an account when you contact one of our support teams for assistance. In this situation, the authentication code is referred to as a validation token.

Access Two-Factor Authentication

Older Accounts
  1. Log in to your Bluehost account.
  2. Click the Accounts menu at the top of the page.
  3. Click Passwords in the submenu.
  4. Scroll down to Two-Factor Authentication.
Newer Accounts
  1. Log in to your Bluehost account.
  2. Click the accounts icon in the top right-hand corner of the page, then choose the Validation Token option.
  3. Scan the QR Code with the Google Authenticator App
  4. Click 'here' to complete the setup.

Enable Two-Factor Authentication

Two-factor authentication can be enabled separately for the main account password, the billing password, and each hosting password. However, you can only enable it for the password you used to log in to the account.

Mobile Device Setup

Most users prefer to use an authenticator app (like Google Authenticator) on their mobile device to retrieve the code for 2FA. An authenticator app allows you to access the code at any time, even without internet access. After you've installed an authenticator app, follow the steps below to set up 2FA and link your Bluehost account to your device:

  1. Use the authenticator app to scan the QR code or manually enter the Secret Key to add your Bluehost account to your device.
  2. Enter the 6-digit code displayed in the app and click Verify Token.

Email Setup

If you'd prefer to receive authentication codes by email, you can set up 2FA to send authentication codes to the email address of your choice. To make your account more secure, we recommend using an email address different from the one listed in the Account Profile.

  1. Access the Two Factor Authentication settings.
  2. Next to "Don't have a smartphone?" Click Click Here to be taken to email setup.
  3. Enter your email address and click Update to have a code emailed to you.
  4. Check your email for the authentication code.
  5. Enter the 6-digit code found in the email and click Verify Token.

How to Disable Two-factor Authentication

You can disable two-factor authentication by following these steps:

  1. Access the Two Factor Authentication settings.
  2. Click Disable Two-Factor Authentication.
  3. Enter the current authentication code and click Disable Two-Factor Auth.

Frequently Asked Questions

Why do I need to enable two-factor authentication?

You don't need to enable two-factor authentication; it's entirely optional. However, it's more common than you realize for a hacker to gain access to your password, so requiring an extra step will protect your account from unauthorized access.

Can I use a different two-factor smartphone application to do this?

Yes, there are several authenticator apps that can be used for this purpose; Google Authenticator is just one we prefer.


I entered the code but then I was redirected to the login screen. What's going on?

The code you entered is outdated or invalid. Individual codes are valid for about 5 minutes, even though Google Authenticator will refresh every 30 seconds and other apps may refresh at a different rate. Check the app or your email to be sure you're using the most recent code. If you have multiple accounts set up on the mobile app, make sure you're using the code for the correct account and that there aren't any spaces.


I'm locked out of my account and can't get a new code. What do I do?

This can happen if you've deleted the account from Google Authenticator (or the app of your choice), if you lost your phone, or for various other reasons. But we can help! Please contact the Billing Department for further assistance.


Will this prevent my websites from being hacked?

No. Enabling two-factor authentication prevents unauthorized persons from accessing your hosting account, but won't prevent criminals from hacking directly into your website by exploiting vulnerabilities in outdated scripts or plugins.


What else can I do to strengthen my account security?

There are many ways that you can keep your account safe. Here are a few tips:

  • Keep your software and scripts up to date.
  • Don't reuse passwords.
  • Don't share your account’s password with anyone.
  • Use a password manager.
  • Don't click the links in suspicious or unexpected emails.
  • Be careful of what you download from the internet.
  • Beware of phishing attempts
Knowledgebase Article 215,686 views bookmark tags: account password security


Was this resource helpful?

Did this resolve your issue?


Please add any other comments or suggestions about this content:





Recommended Help Content

Office 365: Multi-Factor Authentication

Office 365 requires admins users to set up multi-factor authentication before they can use the account. If customers do not set up their multi-factor authentication within 48 hours, they may be locked out.

Login Management

Accessing your account is as easy as entering your domain name and password on the login screen, or clicking one of our Single Sign-On options.

Validation Token

Validation tokens are an easy way to validate you're an authorized user.

Related Help Content

Basic Site Security Checklist

What can I do to increase my Site Security while hosting with Bluehost?

Account Validation

When you call in for help with your account, the account must be validated before our support staff can assist.

Office 365: Temporary Password and Password Resets

How to use temporary passwords and reset the password for a user's account.

How to Create a Strong Password

Strong passwords: How to create and use them.

Email Accounts - Change the Mailbox Size Quota

Where do I Change my Mailbox (Size) Quota? How do I Increase or Decrease Mailbox (Storage) Quota?

Resetting the Password for an Email Account

Instructions for restting your Email Account's Password through cPanel or Webmail

Password Types

This article explains the different password types for your bluehost account.

Changing the Password for a Resold Account

How to change the password for a Resold account.