Setting Up Two-Factor Authentication (2FA)

This article provides information on setting up two-factor authentication (2FA) on user accounts via an authenticator app. See Logging into Your Store for information on logging into your store using email verification.

2FA is a security process that requires users to verify their identity using two different means (factors), in this case, via a username/password combination on a webpage and an app on a mobile device. This makes it difficult for malicious actors who may have acquired access to email addresses or passwords to gain access to your store's control panel.

As such, we recommend using an authenticator app to provide this extra layer of security. In addition, should you lose access to your email account or experience mail delays, you would still be able to log in to your BigCommerce store’s control panel.

1. To set up an authenticator app on your user account, go to My Profile › Two-Factor Authentication, and click the Enable button next to Authenticator app.

2. Scan the QR code with your authenticator app. If you don't already have an authenticator app, we recommend Twilio Authy, but you can use the app of your choice.

3. Once your BigCommerce user account is added to your authenticator app, enter the token into BigCommerce exactly as it appears in the app and click Verify. The app's tokens change every 20 seconds, so if it is about to expire, let it refresh, then use the new token.

Which authenticator apps can I use?

Twilio Authy is an authenticator app recommended for use with BigCommerce. However, you can use any other application that supports TOTP (Time-based One-Time Password) codes, such as Google Authenticator, Duo, and others. The app, after initially scanning the QR code, will generate 6-digit codes that are valid for 20 seconds, which will allow you to log in to the control panel. Using a 2FA method, such as TOTP codes via mobile, is a more secure way of managing your store compared to just a username and password. 

Where is my token?

The token is the six-digit number generated in the authenticator app. After scanning the QR code, you will see BigCommerce on the list of accounts. Depending on your app, you may have to tap on the BigCommerce account to reveal the token and the time left before it expires and a new one is generated.

What if I get locked out?

In situations where you cannot log in and disable 2FA on your user account, such as losing your phone or being unable to launch your authenticator app, contact our support team. Please note that we are only able to disable 2FA for the owner of the user account.

How do I switch back to email verification?

To disable using an authenticator app and switch back to email verification, go to My Profile › Two-Factor Authentication, and click the Enable button for Email verification. Click Confirm on the popup alert.

I'm the store owner. Can I enable or disable the authenticator app 2FA method on staff user accounts?

No, it must be set up by the individual user under My Profile › Two-Factor Authentication.