Back to Support Account Two-Step Authentication

Two-Step Authentication

Your site is your home on the internet, and you want to keep that home safe. Hopefully, you’ve already chosen a unique and hard-to-crack password for your account. To add another layer of home security, you can enable two-step authentication.

What is Two-Step Authentication?

Two-step authentication is a method of securing accounts requiring that you know something (a password) to log in and possess something (your mobile device or a physical key). The benefit of this approach to security is that even if someone guesses your password, they must also have stolen your possession to break into your account.

At, we offer two-step authentication via a mobile device and a physical security key. We first verify your mobile device by sending a code via one of a couple of methods. Once you’ve verified your mobile device, you can also add authentication that uses a physical key instead.

Once you’ve set up two-step authentication, we send a new code to your device any time you log in with your password, which you must input or plug in your physical key before logging in. It adds a small extra step to the login process but makes your account much more secure.

Set up Two-Step Authentication

First, go to your Two-Step Authentication settings page at

  1. Click the Profile icon at the top of your dashboard.
An arrow pointing to the My Profile icon in the top of the dashboard.
  1. Click the Security menu option on your Profile.
A menu with a dark background and the "Security" menu item highlighted.
  1. Last, click Two-Step Authentication to get started.
  2. You’ll be able to choose between Set up using an app and Set up using SMS.

Use an App

The first screen of the Two-Step Authentication process with the "Set up using an app" option selected.

You’ll need to start in a desktop browser to set up two-step authentication via an authenticator application like Google Authenticator, Authy, or Duo on your device.

Click the Set up using an app option, and click Get Started.

Next, scan the QR code presented with your authenticator app. A six-digit number will appear in the authenticator app. Enter it in the field provided and click Enable.

The second step of Two-Step Authentication setup, displaying a QR code on the screen.


If you’re unable to scan the QR code, click the Can’t scan the code? link to get a one time code to enter into your authenticator app.

Lastly, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance should your device go missing!

Please Note: If your web browser is set to block pop-up windows, you may need to temporarily disable this feature, as it will prevent the window with your backup codes from opening.

Click All Finished.

At this point, your site is enabled for two-step authentication. A follow-up step lets you confirm that your backup codes work by entering one printed code.

Verify backup code

Use SMS Codes

If you cannot set up two-step authentication using an authenticator app, you can also set it up to work via SMS messages.

Select the option to Set up using SMS and click Get Started.

On the following screen, enter your country code and phone number and click Continue. You should receive a text message with a 7-digit number within a few moments. Enter this number in the blank provided and click Enable.

The Verify Code screen for setting up SMS Two-Step Authentication.

Lastly, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance should your device go missing!


Smartphone apps that block automated calls might also block our messages.

Security Key Authentication supports login verification with physical security keys using the WebAuthn standard.

Instead of typing in a code you get via SMS or an app like Google Authenticator after entering your password, you plug in a physical key. You then press a button on that key to complete verification and log in. No one can log into your account without that physical key, even if they know the password.

Add a Key

First, set up two-step authentication with SMS or an authenticator app, as outlined above.

After setting up two-step authentication with an app or SMS, you’ll see the option to add a security key. Click on Register key.

The Security page of the dashboard with an arrow pointing to the Security Key's Register Key button.

We allow you to register multiple keys so you can name your key to distinguish it from others you might add later. Type in a unique name and click Register key.

Setting up a security key by giving the key a name and clicking the Register key button.

At this point, plug your key into a USB port on your computer and, depending on the type of key, either press the button or tap the gold disc on the key.

Connect and touch your security key to register it

If you’re successful, you will see a message on the screen and the key will now be listed in the Security Key section.

List of security keys

Once this is set up, you won’t be able to access your account without your key, so treat it the same way you would the keys to your home or your car – keep it safe!

Also, consider adding a second key as a backup option and keep it somewhere you can find it should something happen to your primary key. To add additional keys, just click Register Key again.

Remove a Key

Should you want to remove a security key you added before (for example, if a key was lost or no longer works), you can disconnect that key from your account.

Go to the Two-Step Authentication page in your profile settings, click the Trash icon next to the key, and click Remove Key in the confirmation message that will appear.

Delete security key

Logging In

The login process varies slightly from the usual once you have enabled two-step authentication. Whether using the Google Authenticator or the SMS method to enable two-step authentication, you’ll start by logging in with your username and password as usual.

Image of the login screen, prompting an email address or username.
Log into

Next, you’ll be prompted to enter the verification code sent to your device.

Prompt to enter two-step authentication code.

If you set up two-step authentication with an authenticator app, open the app on your device and provide the six-digit number listed for the account. If you’re using SMS for two-step authentication, we’ll send you a text message with a six-digit number. Once you’ve entered the code, you’ll be logged in and ready to blog.

If you have a security key configured, you’ll see a prompt asking whether you want to verify using your key, or your authenticator app/SMS. To verify using your key, click Continue with security key.

Two Step authentication options

Next, you’ll see a prompt to connect your key. Plug the key into a USB port on your computer and, depending on the key type, either press the button or tap the gold disc on the key to finish logging in.

Prompt to connect security key and complete login.


If you take too long to verify, the verification request will be cancelled and an error message will appear. Just click Continue with security key again to restart the verification.

Backup Codes

We don’t want you to lose access to your account—you’ll still need to be able to log in if it’s lost, stolen, locked out for any reason, or your device needs to be wiped clean (which will delete Google Authenticator).

To ensure you’re never locked out of your account, you can generate a set of ten one-time-use backup codes. We recommend you print out the backup codes and keep them in a secure place like a wallet or document safe. (Don’t save them on your computer. They’d be accessible to anyone using your machine.) 

Generating backup codes is essential and must be done. If you ever need to use a backup code, just log in like you usually would, and when asked about the login code, enter the backup code instead.

At the end of the setup process for Two-Step Authorization, you’ll be given the option to generate backup codes:

Print out backup codes

Print out the codes—don’t just save them—and confirm that you’ve done that. Then click All Finished! to close that screen.

If you lose your list of backups or it’s compromised, you can generate a new set of codes. For added security, this will disable any previously-generated codes.

Generate new backup codes

You can only generate the backup codes from a desktop browser. For example, Safari on iOS will not display the backup codes. Additionally, if your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.

Application-Specific Passwords

There may be some apps that connect to your account that don’t yet fully support two-step authentication. The most common are Jabber apps used to subscribe to blogs. You can generate unique passwords for these apps (e.g., you can have a different password on your phone and tablet). You can then disable individual passwords and lock applications out of your account to prevent others from accessing your sites.

To generate application-specific passwords, head back to Two-Step Authentication and then down to “Application Passwords”:

Application password prompt

Give the application a name—you’re the only one who will see this name, so call it whatever you’d like—and click “Generate Password.” will create a unique 16-character password that you can copy and paste the next time you log in to your account on that device. The application will remember this password so you don’t need to.

Your Security page will maintain a list of all the applications for which you’ve generated passwords. If any of your devices are lost or stolen, or you simply wish to revoke access for a particular application, you can visit this page at any time and click “X” to disable the password and prevent the app from accessing your account:

Remove application password

Disable Two-Step Authentication

We don’t recommend disabling two-step authentication, as it’s much less secure, even if you believe your password is robust. But if you insist, you can disable the feature by going to your Two-Step Authentication page.

The page will show that the feature is enabled, and you can click the Disable Two-Step Authentication button. This will prompt you to enter a code to confirm that you still have access to the device you initially used to set up two-step authentication. If you’re using an authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use. (This code differs from the code you used to log in to your account. You can also use one of your backup codes for this step.)

Click Disable after entering the code, and your account will no longer be protected by two-step authentication.

Disable two-step authentication


A security key cannot be used to disable two-step authentication – this can only be done using a code received via SMS, your authenticator app, or a backup code.

Moving to a New Device

If you plan on switching to a new device and have enabled two-step authentication, you will want to take the following steps to avoid being accidentally locked out of your user account.

If you are using an authenticator app to generate verification codes:

  1. Print backup codes for your user account by following the steps here. DO NOT SKIP THIS STEP.
  2. On your new device, install the authenticator app.
  3. Disable the two-step authentication link with your old device by following the steps here.
  4. Set up your user account to link to your new device by following the steps here.
  5. If you are prompted to enter your verification code, use a code from your list of backup codes. Backup codes are for one-time use only.
  6. You can now uninstall the authenticator app from your old device.

If you are using the mobile app to manage and publish to your site:

  1. Create a new application-specific password by following the steps here.
  2. Enter your new application password when using this app on your new device.


If you are using SMS to receive authentication codes, you will not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number by following the steps here.

If You Lose Your Device

If you lose your device or security key, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back in to your account is by using a Backup Code.

To use a backup code, fill in your login details like you normally would. When asked about the login code enter the backup code instead. Remember: backup codes are only valid for one time each so be careful when using them.

Was this guide helpful for you?

Not quite what you're looking for? Get Help!

Copied to clipboard!