Insights security
Shopify Two-Factor Authentication: Complete Security Setup Guide for Merchants
Shopify two-factor authentication is a security layer that requires staff members to verify their identity with both a password and a time-based code from an authenticator app before accessing your store admin.
Key takeaways
- Shopify supports TOTP-based two-factor authentication through apps like Google Authenticator, Authy, and 1Password, generating six-digit codes that expire every 30 seconds.
- Stores with staff accounts lacking 2FA face account takeover risk from credential stuffing attacks, which test millions of leaked password combinations against your login page.
- Store owners can enforce 2FA for all staff through Settings > Users and permissions > Security, making it mandatory rather than optional within 72 hours of policy activation.
- Each staff member receives 10 single-use backup codes during 2FA setup, which must be stored securely in case their authenticator device fails or gets lost.
- The rollout sequence that minimizes support tickets is: owner enables 2FA first, documents the process with screenshots, then enforces for staff with a 7-day warning period.
Why credential attacks target Shopify stores
Shopify stores process payment data and customer information, making them valuable targets. Attackers acquire leaked credentials from data breaches at unrelated services (email providers, social networks, SaaS tools), then test those username and password combinations against Shopify login pages.
This works because people reuse passwords. A staff member who uses the same password for their Shopify account and their compromised LinkedIn account has created an attack vector. The attacker never needs to hack Shopify itself. They just need one staff member with weak password hygiene.
Once inside your admin, attackers can:
- Export customer data including email addresses and order histories
- Modify product prices to $0.01 and purchase inventory
- Install malicious apps that inject skimming code into your checkout
- Change payout bank account details to redirect revenue
- Delete or ransom your product catalog and order data
Across the 80+ stores we have audited at Defyn, roughly 40% had at least one staff account without 2FA enabled. Many store owners assume Shopify enforces it by default. It does not.
How Shopify 2FA works technically
Shopify implements TOTP (Time-based One-Time Password), the same standard used by GitHub, AWS, and most enterprise systems. The setup process creates a shared secret between Shopify’s servers and your authenticator app.
When you enable 2FA:
- Shopify generates a random secret key (typically 160 bits)
- You scan a QR code that encodes this secret, or manually enter it
- Your authenticator app uses the secret plus the current Unix timestamp to generate a six-digit code
- Shopify’s servers perform the same calculation and compare results
- Codes expire every 30 seconds, with a small time window (usually ±1 period) to account for clock drift
This means your authenticator app works offline. It does not communicate with Shopify. The code generation is purely mathematical, based on the shared secret and the current time.
Authenticator app options
Shopify officially supports:
- Google Authenticator: Simple, no cloud sync, codes lost if you lose the device
- Authy: Cloud backup option, multi-device sync, recovery through phone number
- 1Password: Integrates with password manager, useful for teams already using 1Password
- Microsoft Authenticator: Enterprise-friendly, supports biometric unlock
We recommend Authy for most merchants because device loss is common and cloud backup prevents lockouts. For teams managing multiple stores, 1Password’s shared vaults let you centralize 2FA secrets (though this reduces security if the password manager is compromised).
Rollout playbook for existing teams
Enforcing 2FA on a team that has never used it generates support requests. Follow this sequence to minimize friction.
Week 1: Owner setup and documentation
- Enable 2FA on your own account first (Settings > Account > Security)
- Screenshot every step: QR code scan, backup code screen, first login with 2FA
- Test the backup codes by logging out and using one instead of your authenticator
- Write a one-page guide specific to your team’s tools and workflow
- Store your backup codes in a password manager, not a text file on your desktop
Week 2: Pilot with key staff
Select 2 to 3 staff members who are technically comfortable and ask them to enable 2FA voluntarily. This surfaces edge cases:
- Staff using shared devices at retail locations (requires process changes)
- International team members with unusual authenticator app availability
- Accessibility concerns for staff with vision impairments (most authenticators support screen readers)
Document solutions to these edge cases before broader rollout.
Week 3: Announcement and enforcement
Send an email to all staff:
- Explain why (reference a recent Shopify store breach if possible, or link to /insights/audit-shopify-app-permissions for context on access control)
- Link to your internal setup guide
- Set a deadline 7 days out
- Offer 1-on-1 setup calls for anyone who requests help
On the deadline, go to Settings > Users and permissions > Security and toggle “Require two-factor authentication”. Shopify gives staff 72 hours to comply before blocking access.
Handling enforcement exceptions
Some staff will claim they cannot use 2FA. Valid reasons are rare:
- “I don’t have a smartphone”: Authy works on desktop computers. So does 1Password.
- “I share this account with my team”: Violation of Shopify’s terms. Create individual staff accounts.
- “I’m traveling and can’t install apps”: Backup codes work. They should have saved them during setup.
- “The codes don’t work”: Clock drift. Check device time settings (Settings > General > Date & Time > Set Automatically).
For retail locations with shared iPads, create a dedicated staff account for that device, enable 2FA on it, and store the backup codes in the store’s safe. The authenticator app stays installed on the iPad.
Backup code management
Shopify generates 10 single-use backup codes when you enable 2FA. Each code works exactly once. After using a code, you should regenerate the full set (Settings > Account > Security > Regenerate backup codes).
Store backup codes:
- In a password manager (1Password, Bitwarden, LastPass)
- Printed and locked in a physical safe
- In an encrypted note in your business continuity documentation
Do not store them:
- In Slack or email
- In a text file named “backup-codes.txt” on your desktop
- In a screenshot in your phone’s photo library
- On a sticky note attached to your monitor
If you lose access to both your authenticator and your backup codes, Shopify support can disable 2FA after identity verification. This takes 24 to 72 hours and requires answering security questions plus providing business documentation. Plan for this delay.
Integration with app permission audits
Two-factor authentication protects your staff accounts. It does not protect against malicious apps already installed in your store. An attacker who convinces you to install a fake “SEO optimizer” app can access your data even if every staff account has 2FA enabled.
This is why 2FA is one component of a broader security posture:
- Enable 2FA on all staff accounts (prevents credential attacks)
- Audit installed apps quarterly using /insights/audit-shopify-app-permissions (prevents malicious app persistence)
- Review PCI compliance for payment apps via /insights/shopify-pci-compliance-apps (prevents checkout skimming)
- Monitor login activity in Settings > Users and permissions > Activity log (detects anomalies)
We built Store Auditor to automate steps 2 through 4, but 2FA enforcement remains a manual policy decision only the store owner can make.
Common questions
What happens if a staff member loses their phone?
They use one of their 10 backup codes to log in, then immediately go to Settings > Account > Security to disable 2FA, set it up again with a new device, and generate fresh backup codes. If they lost their backup codes too, they contact you (the store owner) to temporarily remove them from the staff list, then you re-add them and they set up 2FA from scratch. This is why backup code storage matters.
Can I require 2FA for some staff but not others?
No. Shopify’s enforcement is all-or-nothing at the store level. When you enable the “Require two-factor authentication” setting, it applies to every staff account including the owner. You cannot create exceptions for specific roles or individuals. If you need role-based 2FA policies, you need Shopify Plus with custom authentication rules, or you accept that enforcement is universal.
Does 2FA slow down the login process significantly?
The time cost is 5 to 8 seconds per login: open authenticator app, read six-digit code, type it in. Most staff log in once per day or less. For staff who log in dozens of times daily (customer service teams, inventory managers), this adds up to 2 to 3 minutes of overhead. The security benefit outweighs this cost in every scenario we have analyzed at Defyn, but you can reduce login frequency by keeping browser sessions active and using Shopify’s mobile app (which supports biometric unlock after initial 2FA setup).
Wrap-up
Enforcing Shopify two-factor authentication on all staff accounts is the single highest-impact security change most stores can make. The rollout takes two weeks if you follow the playbook: enable it yourself first, pilot with key staff, document the process, announce with a deadline, then enforce. Backup codes prevent lockouts. Combine 2FA with quarterly app audits and login monitoring for defense in depth. Start with your own account today, then cascade to your team within the month.