Back to Guides
Security & Compliance
8 min read

How to Set Up Two-Factor Authentication on Shopify

Your Shopify admin contains sensitive customer data, order details, and financial information. Two-factor authentication (2FA) is the single most effective step you can take to protect it from unauthorised access.

Flex Commerce Team
Updated January 2025

Why 2FA Matters

Passwords alone are not sufficient protection for business accounts. Password breaches, phishing attacks, and credential stuffing attacks are common. 2FA adds a second verification step that attackers cannot complete even if they have your password.

Shopify admin accounts are high-value targets. A compromised admin account can expose customer data (triggering GDPR notification requirements), allow fraudulent orders, and enable changes to payment settings. 2FA prevents the vast majority of account compromises.

Enabling 2FA

To enable 2FA on your own Shopify account: click your account avatar, go to Account Security, then under Two-step authentication, click Turn on. Choose your method: authenticator app (recommended), SMS, or security key.

Authenticator apps (Google Authenticator, Authy, 1Password) are more secure than SMS because they are not vulnerable to SIM-swapping attacks. Use an authenticator app wherever possible.

Staff Account Security

As a store owner, you can require 2FA for all staff accounts. Go to Settings, then Users and Permissions, and enable the requirement for all staff to use 2FA. When enabled, staff members who have not set up 2FA will be prompted to do so on their next login.

Review which staff members have admin access regularly. Remove access for team members who no longer need it. Apply the principle of least privilege: give staff only the permissions they need for their role.

Recovery Codes

When you set up 2FA, Shopify generates recovery codes. These are one-time-use codes that let you access your account if you lose access to your 2FA device. Download and store these in a secure location such as a password manager or offline in a safe.

If you lose both your 2FA device and recovery codes, account recovery requires identity verification with Shopify Support, which can take several days.

Customer Account 2FA

Shopify's new customer accounts (used with the new customer accounts feature, not classic customer accounts) support passkeys and other secure authentication methods. While you cannot enforce 2FA on customer accounts, encouraging customers to use passkeys or strong passwords reduces account takeover risk for your customer base.

Password Policies

Encourage all staff to use a password manager and unique, strong passwords for their Shopify accounts. Prohibit sharing login credentials between staff: each team member should have their own account with appropriate permissions, not a shared account.

Related Resources

Secure Your Store

Broader security practices

GDPR Compliance

Protect customer data

Need a Security Review of Your Store?

We audit Shopify store security settings, staff permissions, and data handling practices to identify and close vulnerabilities.

Get Expert HelpContact Us