Two-Factor Authentication (2FA) on GoSiteMe
Two-factor authentication adds a critical second layer of security to your GoSiteMe account. Even if someone obtains your password, they cannot log in without the second factor. This guide shows you how to enable, use, and manage 2FA.
Why Enable 2FA?
- Protects against password breaches and phishing attacks.
- Required for accessing sensitive areas like billing and DNS management.
- Meets compliance requirements for businesses handling customer data.
Supported 2FA Methods
| Method | How It Works |
|---|---|
| Authenticator App | Time-based codes from Google Authenticator, Authy, or 1Password |
| SMS Codes | One-time codes sent to your mobile number |
| Security Keys | Hardware keys like YubiKey using WebAuthn/FIDO2 |
Enabling 2FA with an Authenticator App (Recommended)
- Log in to your GoSiteMe account and go to Account → Security.
- Under Two-Factor Authentication, click Enable.
- Select Authenticator App.
- Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.).
- Enter the 6-digit code displayed in the app to verify setup.
- Save the backup codes shown on screen. Store them in a secure location—you will need them if you lose access to your authenticator device.
Using a Hardware Security Key
- Follow steps 1–2 above, then select Security Key.
- Insert your YubiKey or compatible FIDO2 device.
- Touch the key when your browser prompts you.
- Name the key (e.g., "Office YubiKey") for easy identification.
You can register multiple security keys for redundancy.
Backup Codes
Each GoSiteMe account receives 10 single-use backup codes when 2FA is enabled. If you lose your phone or security key, use a backup code to log in and reconfigure 2FA. You can regenerate codes at any time from Account → Security → Backup Codes.
Disabling 2FA
Go to Account → Security → Two-Factor Authentication and click Disable. You will be asked to confirm with your current 2FA code. If you cannot provide a code, contact support with identity verification.
Best Practices
- Use an authenticator app rather than SMS—SIM-swap attacks can compromise text-based codes.
- Register a backup security key and store it separately from your primary key.
- Print your backup codes and keep them in a safe or safety deposit box.
- Enable 2FA on every team member's account, not just the account owner's.