HM Two-Factor Authentication for WHMCS

HM Two-Factor Authentication for WHMCS

Developed By HostModules

Compatible with WHMCS v9.0

Host Modules Two-Factor Authentication for WHMCS

HM Two-Factor Authentication adds a second layer of login security to your WHMCS client area. Clients can protect their accounts using a TOTP authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or receive a one-time code by email — whichever suits them. Backup recovery codes ensure they are never locked out permanently.

Unlike alternatives that only support email codes, HM 2FA is a full two-factor authentication system with QR code setup, trusted device management, forced 2FA enforcement, brute-force lockout protection, and a detailed security audit log — all managed from a clean admin panel with no IonCube Loader required.

View Details

─────────────────────────────────────

AUTHENTICATION METHODS

─────────────────────────────────────

  • Authenticator App (TOTP) — works with Google Authenticator, Authy, Microsoft Authenticator, and any RFC 6238-compliant app
  • Email Code — a 6-digit one-time code sent to the client's registered email address
  • Backup Recovery Codes — 10 single-use emergency codes generated at setup, regeneratable at any time from the client's 2FA management page
  • QR Code Setup — scan a QR code to add the account to an authenticator app instantly; manual secret key entry also available

─────────────────────────────────────

CLIENT SETUP & MANAGEMENT

─────────────────────────────────────
A guided multi-step setup wizard walks clients through enabling 2FA in minutes. After setup, a dedicated 2FA management page in the client area gives full control over their configuration.

  • Enable or disable 2FA at any time from the management page
  • Switch between authenticator app and email code methods
  • Regenerate backup recovery codes on demand
  • View remaining backup code count at a glance
  • "Remember this device" — trusted devices skip 2FA for up to 30 days (configurable), so clients are not prompted on every login from the same browser
  • Automatic code submission on 6-digit entry — no button click needed
  • 2FA status card injected directly into the WHMCS Security Settings page

─────────────────────────────────────

NAVIGATION INTEGRATION

─────────────────────────────────────

  • 2FA management link added to the WHMCS client area navigation
  • Configurable position: shortcuts bar, account dropdown, or both

─────────────────────────────────────

ADMIN DASHBOARD

─────────────────────────────────────

  • Total active clients vs 2FA-enabled clients
  • 2FA adoption rate percentage at a glance
  • Successful verifications today
  • Failed verification attempts today
  • Active verified sessions count
  • Total exempt clients

─────────────────────────────────────

ADMIN CLIENT MANAGEMENT

─────────────────────────────────────
A searchable, paginated client list showing the 2FA status, exemption state, and lockout state of every client — with per-row admin actions.

  • Disable 2FA for a specific client
  • Reset a client's 2FA setup (forces them to re-enrol)
  • Exempt a client from 2FA with a reason note
  • Manually unlock accounts locked due to failed attempts
  • 2FA status badge visible on every WHMCS admin client profile page

─────────────────────────────────────

SECURITY AUDIT LOG

─────────────────────────────────────
A full per-attempt log of every 2FA verification event — successful and failed — with the detail needed to investigate suspicious activity.

  • IP address, browser/user agent, and 2FA method per attempt
  • Failure reason recorded (wrong code, expired, too many attempts)
  • Filter by client, outcome (success / failure), and date range
  • Admin email notifications on suspicious failure patterns

─────────────────────────────────────

SECURITY ARCHITECTURE

─────────────────────────────────────

  • RFC 6238 TOTP compliance with time-sync tolerance (±1 window)
  • Cryptographically secure secret and code generation (random_bytes)
  • Timing-safe code comparison (hash_equals) — prevents timing attacks
  • Account lockout after configurable failed attempts (default: 5)
  • Configurable lockout duration (default: 30 minutes)
  • Session-bound verification with IP address and user agent tracking
  • Daily automatic cleanup of expired sessions, codes, and old log entries
  • Brute force protection with per-client attempt tracking

─────────────────────────────────────

ENFORCEMENT & POLICY

─────────────────────────────────────

  • Force 2FA for all clients — requires every client to enrol within a configurable grace period (default: 7 days)
  • Require verified email before 2FA setup can begin
  • Per-client exemptions with reason notes for staff accounts, resellers, or accessibility cases
  • Automatically disables WHMCS native 2FA to prevent conflicts

─────────────────────────────────────

CONFIGURATION

─────────────────────────────────────

  • Customise the application/issuer name shown in authenticator apps
  • Configurable session timeout, backup code count, and email code expiry
  • Enable or disable 2FA globally with a single toggle
  • All settings managed from the admin panel — no file editing required

─────────────────────────────────────

LANGUAGE MANAGER

─────────────────────────────────────
Override any text string on the 2FA setup, verification, and management pages directly from the admin panel without editing any template files. Customise headings, button labels, and instructions for your audience.

─────────────────────────────────────

REQUIREMENTS

─────────────────────────────────────

  • WHMCS 8.x or newer
  • PHP 7.4 or newer
  • No IonCube Loader required
  • Works with any WHMCS client theme

 

There are no reviews yet!

Be the first to review HM Two-Factor Authentication for WHMCS.

Version Compatibility


Compatible with WHMCS v9.0

Full Version Compatibility


  • Selected versions of WHMCS v9.0
        9.0.0 - 9.0.5
  • Selected versions of WHMCS v8.13
        8.13.0 - 8.13.4
  • All versions of WHMCS v8.12
  • All versions of WHMCS v8.11
  • Selected versions of WHMCS v8.10
        8.10.0
  • Selected versions of WHMCS v8.9
        8.9.0
  • Selected versions of WHMCS v8.8
        8.8.0
  • All versions of WHMCS v8.7
  • All versions of WHMCS v8.6
  • All versions of WHMCS v8.5
  • All versions of WHMCS v8.4
  • All versions of WHMCS v8.3
  • All versions of WHMCS v8.2
  • All versions of WHMCS v8.1

System Requirements


  • WHMCS 8.x or newer
  • PHP 7.4 or newer

* Requirements listed are in addition to the WHMCS default system requirements.

Support for this product

The best place to start if you need help with a specific product is to contact the developer. All WHMCS Marketplace developers have both a website and support URL listed.

Developed By HostModules

Changelog

v1.2.0 Released June 29th, 2026

Latest Version


Version 1.0.0 — Initial Release

  • Two authentication methods: TOTP authenticator app and email one-time code — clients choose their preferred method
  • QR code setup with guided multi-step enrolment wizard
  • Manual secret key entry as an alternative to QR code scanning
  • Backup recovery codes — 10 single-use codes generated at setup, regeneratable at any time
  • Automatic code submission on 6-digit entry (no button click needed)
  • Trusted device management — remember device for up to 30 days (configurable), skipping 2FA on repeat logins from the same browser
  • 2FA status card injected into WHMCS Security Settings page
  • Navigation link configurable to shortcuts bar, account dropdown, or both
  • Admin dashboard — adoption rate, successful/failed attempts today, active sessions, exempt client count
  • Admin client list — per-client 2FA status, exemption state, lockout state with disable, reset, exempt, and unlock actions
  • Security audit log — per-attempt log with IP, browser, method, failure reason; filterable by client, outcome, and date range
  • 2FA status badge on every WHMCS admin client profile page
  • Force 2FA policy with configurable grace period (default: 7 days)
  • Require verified email before 2FA enrolment
  • Per-client exemptions with reason notes
  • Account lockout after configurable failed attempts with configurable lockout duration
  • Admin email notifications on suspicious failure patterns
  • RFC 6238 TOTP compliance with time-sync tolerance
  • Timing-safe code comparison (hash_equals)
  • Cryptographically secure secret generation (random_bytes)
  • Automatic daily cleanup of expired sessions, codes, and old log entries
  • Automatic conflict resolution — disables WHMCS native 2FA on activation
  • Language manager — override all page strings from the admin panel
  • Settings backup on deactivation and auto-restore on reactivation
  • Compatible with WHMCS 8.x+ and PHP 7.4+; works with any WHMCS theme; no IonCube Loader required

 

See also

Discord Notifications

A simplistic, free & open source hook allowing instant Discord notifications when an action is triggered.

Free
Netgsm Sms

Netgsm Sms addon provides you sending customized bulk sms and creating sms templates.

Free
MSG91 SMS/OTP Plugin

MSG91 WHMCS SMS plugin gives you the power and flexibility to stay connected with your customers by sending them an SMS and OTP's for 2FA at the crucial steps that matters the most.

Free
SMS Manager

More Advanced SMS System

Commercial
SMSQ Notify

Send SMS Notification From WHMCS by SMSQ Notify

Free