Email 2FA for WHMCS

Add an extra layer of login security to your WHMCS installation with email-based two-factor authentication.

Email 2FA for WHMCS sends a one-time passcode to the user’s registered email address after they enter their username and password. The user must enter the valid code before access is granted.

The module supports WHMCS clients, sub-account users, and administrators, making it a complete email authentication solution for your entire WHMCS platform.

Key Features

• Email one-time passcodes for clients, users, and administrators
• Native integration with the WHMCS Two-Factor Authentication system
• Secure, single-use, time-limited verification codes
• Configurable code length from 4 to 8 digits
• Configurable code expiry time
• Resend button with live cooldown timer
• Configurable maximum resend limit per login
• Brute-force protection with temporary account lockouts
• Exponential lockout for repeated failed attempts
• Trusted-device bypass using a secure cookie, IP address, or either method
• Configurable trusted-device duration
• One-time backup recovery codes
• Per-account anti-phishing phrases
• Customizable multilingual email templates
• HTML email templates with automatic plain-text versions
• Email template merge fields and test-send functionality
• Searchable authentication audit logs
• CSV log export
• GDPR-friendly email masking
• Configurable log retention
• Automatic cleanup of expired codes, trusted devices, and old logs
• Global BCC suppression for authentication emails
• Dashboard statistics and recent activity reporting
• Admin client-summary 2FA status panel
• Enforcement controls for clients and administrators
• Responsive and RTL-aware verification interface

Secure Email Authentication

After a user enters their correct WHMCS login credentials, the module generates a secure one-time passcode and sends it to the email address associated with their account.

The code can only be used once and expires automatically after the configured time. Codes are stored securely as hashes rather than plain text.

Administrators can control:

• Code length
• Code validity period
• Maximum verification attempts
• Lockout duration
• Resend cooldown
• Maximum resends per login

Protection Against Brute-Force Attacks

Email 2FA includes built-in protection against repeated code guessing.

When a user exceeds the configured number of failed attempts, verification is temporarily locked. Repeated offences can trigger progressively longer lockout periods, helping protect accounts from automated attacks.

Trusted Devices

Users can optionally select Trust this device during login to avoid entering a verification code every time.

Administrators can choose how trusted access is recognized:

• Secure device cookie
• Matching IP address
• Either device cookie or IP address

The trusted period can be configured for a specific number of days, and administrators can view or revoke trusted devices when required.

Backup Recovery Codes

When enabled, users receive one-time backup codes during 2FA activation.

These codes allow users to access their account if they temporarily lose access to their email inbox. Each backup code can only be used once.

Anti-Phishing Protection

Users can create a personal anti-phishing phrase that appears inside every legitimate verification email.

This helps users identify authentic authentication emails and recognize suspicious or fraudulent messages.

Customizable Email Templates

Create branded authentication emails directly from the WHMCS admin area.

You can customize:

• Email subject
• HTML email content
• Sender name
• Sender email address
• Reply-To address
• Brand logo
• Language-specific templates

Available merge fields include the recipient’s name, verification code, code validity, login IP, company name, date, logo, and anti-phishing phrase.

A built-in test-send option allows administrators to confirm email appearance and delivery before enabling the module for users.

Client and Administrator Support

Email 2FA can be enabled for:

• WHMCS clients
• Sub-account users
• WHMCS administrators

Clients and administrators can activate Email 2FA through their existing WHMCS security settings.

WHMCS enforcement options can also be used to require users or administrators to configure two-factor authentication on their next login.

Easy Login Experience

During login, users receive a clear and responsive verification screen where they can:

• Enter the emailed one-time passcode
• Request a new code after the cooldown period
• Trust the current device
• Use a backup recovery code

The challenge interface is responsive, theme-independent, and designed to work with both left-to-right and right-to-left languages.

Complete Admin Dashboard

The included addon dashboard gives administrators access to:

• Authentication statistics
• Recent activity charts
• Searchable audit logs
• CSV export
• Email template management
• Trusted-device management
• Configuration controls
• License status and help information

Administrators can also view a user’s Email 2FA status directly from the client summary page.

Privacy-Focused Logging

Authentication events can be recorded for security monitoring and troubleshooting.

Administrators can enable email masking to reduce exposure of personal information in logs and configure how long log entries should be retained.

Old logs, expired verification codes, and expired trusted-device records can be removed automatically through cron cleanup.

Secure Authentication Email Delivery

The module can suppress the WHMCS global BCC setting specifically for 2FA emails.

This helps prevent sensitive one-time passcodes from being copied to a shared BCC mailbox while leaving the global BCC behavior unchanged for other WHMCS emails.

Requirements

• WHMCS 8.x or newer
• PHP 8.1 or newer
• PHP cURL extension
• PHP Sodium extension
• A working WHMCS outgoing email configuration

Built for WHMCS Security

Whether you manage a hosting business, domain reseller platform, SaaS service, or client portal, Email 2FA for WHMCS helps reduce unauthorized account access by adding a secure email verification step to every protected login.