Technical guide for Hovixa users on implementing Two-Factor Authentication (2FA) in cPanel using TOTP apps to prevent unauthorized account access.

Securing your cPanel Account with Two-Factor Authentication (2FA)

Password authentication alone is insufficient against sophisticated phishing, brute-force, or credential stuffing attacks. Enforcing Two-Factor Authentication (2FA) adds a critical layer of security by requiring a Time-based One-Time Password (TOTP) generated by a physical device or mobile app. This ensures that even if your password is compromised, your Hovixa hosting environment remains protected.

1. Supported Authentication Apps

Hovixa's cPanel implementation uses the standard TOTP protocol. You can use any compliant smartphone app, including:

• Google Authenticator (Android/iOS)
• Authy (Supports multi-device sync)
• Microsoft Authenticator
• Bitwarden/1Password (Built-in TOTP managers)

2. Configuring 2FA in cPanel

Before beginning, ensure your mobile device's system time is accurate. TOTP relies on time synchronization; if your clock is off by more than 30 seconds, the code will be rejected.

Configuration Steps:

1. Log in to cpanel.hovixa.com.
2. Navigate to the Security section and click Two-Factor Authentication.
3. Click the Set Up Two-Factor Authentication button.
4. Step 1: Scan the displayed QR Code using your chosen authenticator app.
   • Manual Entry: If your camera is unavailable, you can manually enter the "Account" and "Key" strings provided below the QR code.
5. Step 2: Enter the 6-digit security code generated by the app into the Security Code field in cPanel.
6. Click Configure Two-Factor Authentication.

3. Post-Setup: Recovery and Management

Once 2FA is active, you will be prompted for a code every time you log in to cPanel. It does not affect FTP, SSH, or Email passwords, which use their own independent authentication mechanisms.

What if I lose my device?

If you lose access to your TOTP app, you will be locked out of the cPanel web interface. To regain access:

1. If you have SSH access enabled, you may be able to disable 2FA via the command line (for advanced users).
2. Contact Hovixa Support. For your protection, we will require strict identity verification before manually disabling 2FA on your account.

4. Technical Implementation Details

• Algorithm: Hovixa uses the SHA-1 hashing algorithm with 30-second intervals for code rotation.
• Jailed Shell & API: Enabling 2FA on the cPanel UI does not currently enforce 2FA on API requests using API Tokens. Ensure your API tokens are stored securely and restricted to specific IP addresses where possible.
• IP Whitelisting: Even with 2FA enabled, Hovixa’s firewall (CSF) will still block your IP after multiple failed password attempts. Ensure you enter the correct password before the 2FA prompt.

Security Recommendation: After enabling 2FA, navigate to the Contact Information section in cPanel and ensure your backup email address is up to date. This is the primary channel we use to communicate during a lockout recovery process.