Two-Factor Authentication for the iWebVault Client Area

Two-factor authentication (2FA) adds a second layer to login — beyond your password, you also provide a time-based code from an authenticator app. Without 2FA, anyone with your password can access your account. With 2FA, they’d need the password AND your phone. For an account that controls hosting, domains, and billing — and possibly an entire business presence online — 2FA is one of those “small investment, massive payoff” security moves. This guide walks through enabling it at auth.iwebvault.com.

What 2FA actually protects against

• Password leaks. If your password is exposed via a breach on some other site (you reused it), the attacker still can’t log in without your phone.
• Phishing. Even if you accidentally typed your password into a fake login page, the attacker can’t use it past the moment the TOTP code expires.
• Credential stuffing. Bots cycling through stolen credentials hit a wall at the 2FA prompt.
• Account takeover. The classic “someone stole my account” scenario — 2FA makes it dramatically harder.

The trade-off: one extra step at login (about 5 seconds). Worth it for nearly every account; mandatory for accounts controlling business infrastructure.

What you’ll need

An authenticator app installed on your phone (or computer):

• Google Authenticator — simple, no cloud sync by default (newer versions optionally sync to Google account).
• Authy — cloud sync across devices, encrypted backup. Useful if you change phones often.
• Microsoft Authenticator — similar to Authy, ties to Microsoft account.
• Aegis (Android) / Raivo (iOS) — privacy-focused alternatives with local-only encrypted backups.
• 1Password / Bitwarden — password managers that also store TOTP codes.

For iWebVault, any TOTP-compatible app works. Pick whichever you’ll actually use consistently.

Enabling 2FA

1. Log in to auth.iwebvault.com.
2. Top-right menu → Account → Security Settings (sometimes labeled “Profile” or “Account Settings”).
3. Find Two-Factor Authentication section.
4. Click Click here to Enable.
5. You’ll see a QR code and a setup secret.
6. Open your authenticator app → Add Account → Scan QR code.
7. App shows a 6-digit code that changes every 30 seconds.
8. Enter the current code in the iWebVault setup screen → Submit.
9. Save the backup codes shown after activation. Print them or store in a password manager.

From your next login onward, you’ll enter your password as usual, then be prompted for the 6-digit code from your authenticator app.

Critical: save your backup codes

The backup codes shown when you enable 2FA are your “lost my phone” recovery option. Each code is single-use; the system gives you typically 6-10 of them. Treat like passwords:

• Store in your password manager OR print and put in a safe place.
• NEVER store on the same device as your authenticator — losing that device means losing both.
• Don’t email them to yourself in plain text.
• If you use one (because you lost your phone), regenerate the full set.

Losing both the authenticator AND the backup codes means recovery requires support ticket + identity verification, which can take time.

Logging in with 2FA

1. Enter username and password as usual.
2. Prompt asks for “Authentication code”.
3. Open authenticator app → find iWebVault entry → enter the current 6-digit code.
4. Done.

Codes refresh every 30 seconds. If you’re slow typing, the code may expire — just enter the next one shown.

Lost access to your authenticator

If you have backup codes

1. At the 2FA prompt, look for “Use backup code” or similar link.
2. Enter one of your backup codes.
3. Once logged in, disable and re-enable 2FA — generates new QR for your new authenticator and a new set of backup codes.

If you’ve lost both authenticator and backup codes

1. Open a support ticket from a different email or contact us through another channel.
2. Be ready for identity verification — we’ll ask things like recent invoices, server IPs, or other account-specific knowledge to confirm you’re the legitimate owner.
3. Once verified, we disable 2FA so you can log in and re-enable with a new authenticator.

The verification step is deliberately rigorous — if it weren’t, attackers could just claim “I lost my phone” to bypass 2FA. Expect 24-48 hours for full identity verification.

Disabling 2FA

1. Log in to client area.
2. Security Settings → Two-Factor Authentication.
3. Click Disable.
4. Confirm with your password.

Reasons you might disable: switching authenticator apps (disable, then re-enable with the new one), troubleshooting access issues, or migrating to a different account setup.

Switching to a new phone

If you’re upgrading phones and your authenticator doesn’t sync:

1. BEFORE wiping the old phone — log in to iWebVault with the old phone’s authenticator.
2. Disable 2FA.
3. Set up authenticator on new phone (install app, sign in if syncing).
4. Re-enable 2FA on iWebVault, scan the new QR code with the new phone.
5. Save new backup codes.

If your authenticator supports cloud sync (Authy, 1Password, Microsoft Authenticator with backup enabled), the codes follow you automatically — no disable/re-enable needed.

2FA on the things 2FA on the client area doesn’t cover

2FA at auth.iwebvault.com protects login to the client area — billing, services, support tickets, account management. It does NOT cover:

• cPanel login. Enable separately at cPanel → Security → Two-Factor Authentication.
• DirectAdmin login. DA supports 2FA in its own settings menu.
• WordPress admin. Install a WP 2FA plugin (WP 2FA, Wordfence Login Security, Two-Factor Authentication).
• Email accounts. Not 2FA-protected at server level — keep mailbox passwords strong and unique.
• SSH access. Use SSH keys (effectively a hardware-protected second factor). SSH key guide.

For full coverage, layer 2FA across every system that touches your hosting.

Common 2FA questions

“The code I enter is being rejected even though it’s correct.” Time drift — your phone’s clock is slightly off from server time. TOTP requires both ends to agree on time within ~30 seconds. Sync your phone’s clock (Settings → Date & Time → Auto-sync) and retry.

“Can I use SMS-based 2FA instead?” iWebVault’s client area uses TOTP (authenticator app), not SMS. This is intentional — SMS-based 2FA has known weaknesses (SIM swap attacks, SS7 vulnerabilities) and isn’t recommended. TOTP via authenticator app is significantly stronger.

“My phone has no internet — can I still authenticate?” Yes. TOTP works offline. The code is generated locally from a shared secret and the current time; no network needed.

“Do I need to enter the code every login or just once?” Every login, by default. Some authenticator setups let you trust a device for a period; check the 2FA prompt for a “remember this device” option if available.

“Should staff members have their own logins or share one?” Their own. Each person should have a separate login (you can add contacts in client area with specific permissions). Shared logins make 2FA setup messy and audit trails impossible.

What’s next

• SSH key authentication (2FA-equivalent for servers): SSH keys guide.
• WordPress hardening including 2FA plugins: WordPress hardening.
• Reactivating an account: Suspended/terminated guide.

2FA is the single most effective security upgrade for almost any account. Five minutes of setup, lifetime of protection against the most common attack vector. Enable it on iWebVault, then cPanel, then WordPress — each layer adds independent protection.