Secure your account with two-step authentication
Two-step authentication (also known as two-factor authentication) provides a more secure login process because when you (or anyone) attempts to sign in, you’ll have to provide the following information:
- The account password.
- A single-use authorization code generated by a mobile app or an SMS text message.
This is like a cash withdrawal machine at the bank, which requires both a debit card and a personal identification number (PIN). The difference here is that you’ll have to use a different authentication code every time you sign in, because an authentication code expires after it’s used.
Two-step authentication can be set up for all accounts, but the account owner can’t enable it for staff members. Staff members need to set it up for their own accounts.
Enabling two-step authentication
There are two different ways to retrieve authentication codes to use during login. You can either:
Enable two-step authentication for SMS text messages
To enable two-step authentication:
- From your Shopify admin, go to Settings > Account.
- Scroll to the Accounts and permissions section, then click your name.
- Scroll to the Two-step authentication section, then click Enable two-step authentication.
- Enter your account password to continue.
- A new dialog window opens. Click anywhere in the box labeled SMS Delivery.
- Click Next.
- Under the header Phone number, enter your mobile phone number.
- Click Send Code.
- Check your mobile phone for an SMS text message. Retrieve the 6 digit code from the text message, and enter it in step 2 of the dialog window.
- Click Confirm.
- You’ll be provided with a list of 10 recovery codes
– Write down your recovery codes and keep them in a safe place. If you lose your mobile device, or don’t have it with you one day, then using a recovery code is the only way to log in to an account that has two-step authentication enabled.
Note: Each recovery code can be used only once. You can retrieve your recovery codes at a later date, but only if you’re already logged in.
- Click Set Backup Phone (optional).
- Enter an alternate phone number. Only use a trusted number, like your spouse’s, business partner’s, or a close friend’s.
- Click Confirm.
Now when you try to log in, two-step authentication will require your mobile device.
Enable two-step authentication with an authenticator app
To enable two-step authentication with an authenticator app, you’ll need to download an authenticator app to your mobile device. Recommended mobile devices include:
- Smartphones.
- Other mobile devices on iOS, Android, Windows, or BlackBerry operating systems.
The app will be able to scan QR codes and retrieve authentication data for you. Recommended authenticator apps include:
- Google Authenticator (Android/iPhone/BlackBerry)
- Duo Mobile (Android/iPhone)
- Amazon AWS MFA
- Authenticator (Windows Phone 7)
Tip
The authenticator app for BlackBerry devices does not scan QR codes – a secret key will be provided for you to enter manually.
Follow the App installation instructions. Shopify support cannot help you install these third-party apps on your mobile devices.
Activate an authenticator app in Shopify
To activate an authenticator app in Shopify:
- From your Shopify admin, go to Settings > Account.
- Click your name.
- Scroll to the section Two-step authentication and click Enable two-step authentication.
- Enter your account password to continue.
- A new dialog window opens. Click anywhere in the box labeled Authenticator App.
- Click Next.
- Configure your authentication app by using one of the two methods provided.To use the QR code provided, tap Scan QR code and then point your camera at the QR code on your computer screen.To use manual entry, click Click here to display to retrieve the secret key. In your mobile app, tap Manual Entry and enter the email address of your Google Account. Then, enter the secret key on your computer screen into the box next to Key and tap Done.
- Enter the six-digit code generated by the app to complete step 3 of the dialog window.
- Click Confirm.
- You’ll be provided with a list of 10 recovery codes.
– Write down your recovery codes and keep them in a safe place. In the event that you lose your mobile device, or don’t have it with you one day, using a recovery code is the only way to log in to an account that has two-step authentication enabled.
Note: Each recovery code can be used only once. - Click Set Backup Phone (optional).
- Enter an alternate phone number. Only use a trusted number, like your spouse’s, business partner’s, or a close friend’s.
- Click Confirm.
Now when you try to log in, two-step authentication will require your mobile device.
Setting a backup phone number (optional)
To set a backup phone number:
- From your Shopify admin, go to Settings > Account.
- Click your name.
- Scroll to the section Two-step authentication and click Enable two-step authentication
- Under Backup phone, click Set Up.
- Enter your account password to continue.
- Click Confirm.
- Under the header Phone number, enter your backup mobile phone number.
- Click Confirm.
Note: You must already be logged in to set up a backup phone number.
Retrieving Recovery Codes
At any time while logged in to your account, you can retrieve the list of the 10 recovery codes we showed you when you activated two-step authentication. To retrieve the list:
- From your Shopify admin, go to Settings > Account.
- Click your name / Staff account.
- Scroll down to the Two-step authentication header, then click Show recovery codes.
Note: You must already be logged in to retrieve a copy of your recovery codes.
Logging in with two-step authentication
When two-step authentication is enabled, your login experience changes slightly. Here’s how to log in to Shopify:
- Desktop
- iPhone
- Android
- From your Shopify admin login page, enter your email address and password:
- Click Log in.
- On the next page, you need to enter a 6-digit authentication code:
– If you’re using an authenticator app, then open the app on you mobile device to see your code.
– If you chose to receive a code by SMS, then check your phone for an SMS message with the code. - In Shopify, enter your authentication code in the Authentication code field.
- Click Log in.
Change your device
If you’re planning on getting a new phone, for example, then you can change the device that you use for two-step authentication.
- From your Shopify admin, go to Settings > Account.
- Click your name / Staff account.
- Scroll to the Two-step authentication section, then click Change under Backup phone.
- Enter your account password to continue.
- Enable two-step authentication on your new device.
Note: Once your new mobile device is set up, the previous device will no longer function for two-step authentication on this Shopify account.