Loading...

How to Enable Two-Factor Authentication on MyKinsta

MyKinsta supports two-factor authentication (2FA) using authenticator apps. Enabling 2FA adds a second layer of security to your account, so even if your login credentials are compromised, access still requires a time-based one-time code from your phone or password manager. All Kinsta user roles can enable 2FA independently from their own User Settings.

Why Hosting Accounts Need Two-Factor Authentication

A MyKinsta account is a high-value target for attackers. Access to the dashboard means access to every site you host: the ability to modify WordPress files, install backdoors, change DNS records, access database exports in your backup files, and modify billing details. That is a higher blast radius than a typical email or social account compromise.

The most common attack vector is not a brute force on your password. It is credential stuffing: attackers take email and password combinations leaked from other services and try them against every platform they can. If you reuse a password from any site that has ever been breached, your MyKinsta account is vulnerable. The Have I Been Pwned database lists billions of compromised credential pairs, and automated tools cycle through them at scale.

Two-factor authentication breaks credential stuffing entirely. The attacker may have your password, but without the rotating TOTP code from your phone or password manager, they cannot log in. MyKinsta uses app-based 2FA (time-based one-time passwords) rather than SMS because TOTP is not vulnerable to SIM-swapping attacks, works without mobile signal, and generates fresh codes every 30 seconds that cannot be intercepted in transit.

Before You Start

You will need an authenticator app installed on your phone or desktop before beginning. Recommended options include:

  • Google Authenticator (Android/iOS): free, widely used, straightforward setup
  • Authy (Android/iOS/desktop): supports multi-device sync and encrypted backups, which helps if you lose your phone
  • 1Password, Bitwarden, or Dashlane: if you already use a password manager with built-in 2FA support

Kinsta uses app-based 2FA rather than SMS-based 2FA. Authenticator apps are more secure because they are not vulnerable to SIM-swapping attacks and work even without a mobile signal.

How to Enable 2FA on MyKinsta

Step 1 - Log In to MyKinsta

Log in to your MyKinsta dashboard using your email address and password.

Step 2 - Open User Settings

Click on your account avatar in the bottom-left corner of the MyKinsta dashboard. Select User Settings from the menu that appears.

MyKinsta user settings menu

Step 3 - Enable Two-Factor Authentication

Scroll down the User Settings page to the Two-Factor Authentication section. Click Enable Two-Factor Authentication. A QR code will appear on screen.

Step 4 - Scan the QR Code

Open your authenticator app and scan the QR code displayed in MyKinsta. If your app supports manual entry, you can use the setup key shown below the QR code instead. Once scanned, the app will begin generating 6-digit one-time codes that refresh every 30 seconds.

Step 5 - Enter the Verification Code

Enter the current 6-digit code from your authenticator app into the confirmation field in MyKinsta and click Verify. MyKinsta will confirm that 2FA is now active on your account. You will be prompted for a code each time you log in from a new device or browser.

Adding MyKinsta 2FA to 1Password

If you already use 1Password, you can store your MyKinsta one-time codes alongside your login. Take a screenshot of the QR code displayed in MyKinsta and save it to your desktop. In 1Password, open your MyKinsta login entry, click Edit, add a One-Time Password field, then click the QR code icon and drag the screenshot into the scanner. Save the entry. 1Password will now generate your MyKinsta one-time codes automatically when you fill your login credentials.

If the QR code is not recognised, take a fresh screenshot and ensure there is adequate whitespace around the code before trying again.

What to Do If You Lose Access to Your Authenticator

If you lose your phone or delete your authenticator app without saving a backup, contact Kinsta support directly. They will verify your identity and disable 2FA on your account so you can log in and set it up again with a new device.

To avoid this situation, use Authy (which supports encrypted cloud backups) or save your 2FA setup key in a secure location when you first enable it. This key allows you to reconfigure your authenticator on any device.

Switching Your Authenticator to a New Phone

Switching phones is the most common reason 2FA stops working on MyKinsta. The safest approach is to transfer accounts before wiping the old device:

  • Authy: enable multi-device sync in Authy settings on the old phone, install Authy on the new phone, and approve the new device from the old one. Your MyKinsta entry transfers automatically.
  • Google Authenticator: use the built-in account transfer feature (tap the menu icon, then choose Transfer accounts and Export accounts) to generate a QR code, then scan it from the new phone.
  • 1Password or Bitwarden: log in to your vault on the new device. One-time password entries sync automatically with the rest of your vault.

If you have already switched devices and no longer have access to the old authenticator, go to MyKinsta User Settings, disable 2FA using a backup code or by contacting Kinsta support to verify your identity, then re-enable it from scratch on the new device by scanning a fresh QR code.

How to Disable 2FA on MyKinsta

To turn off two-factor authentication, go to User Settings and scroll to the Two-Factor Authentication section. Click Disable Two-Factor Authentication. MyKinsta will ask you to enter a one-time code from your authenticator app to confirm you still have access before completing the change.

If you no longer have access to your authenticator (lost phone, deleted app, or wiped device), you cannot disable 2FA yourself. Contact Kinsta support through the MyKinsta chat. They will verify your identity and disable 2FA so you can set it up again with a new device.

How to Enforce 2FA Across Your Kinsta Team

Kinsta company owners can require all users on the account to have 2FA active. Go to Company Settings > Security and enable the 2FA enforcement option. Once enabled, any team member who logs in without 2FA is prompted to configure it before they can access the dashboard.

This is worth enabling for any agency or team where multiple people share MyKinsta access. A single compromised account without 2FA can result in site changes, DNS edits, or billing issues that are difficult to reverse quickly.

Two-Factor Authentication and MyKinsta User Roles

In MyKinsta, each user manages their own 2FA settings independently, regardless of their role (Company Owner, Admin, Developer, or Billing). A Developer-role user must enable 2FA on their own account separately from the Company Owner. If 2FA enforcement is turned on at the company level, all roles are required to comply before they can access the dashboard. This means there is no role that is exempt from the requirement once enforcement is enabled.

MyKinsta Account Security Checklist

Two-factor authentication is the most important account security step, but it is not the only one. Once 2FA is active, run through these additional checks to close the remaining gaps.

  • Set up SSH key authentication for SFTP. MyKinsta supports SSH public key auth for SFTP access to your sites. Go to SSH Keys in User Settings, add your public key, and disable password-based SFTP login where possible. SSH keys cannot be phished or credential-stuffed.
  • Rotate your API keys. If you use the MyKinsta API or any third-party tool that connects via API key, rotate those keys every 90 days. Go to User Settings > API Keys to generate a new key and revoke the old one. API keys with persistent access are a secondary entry point if they are ever exposed in a code repository or configuration file.
  • Audit active team members. Go to Company Settings > Users and review every account that has access to your MyKinsta company. Remove ex-employees, contractors whose engagement has ended, and any account you do not recognize. Former team members with lingering access are a common overlooked risk.
  • Use a dedicated admin email address. The email on your MyKinsta account should not be the same one you use for public-facing profiles, comment sections, or newsletters. A separate email reduces the chance that your MyKinsta login is included in a credential dump from another service.
  • Enable billing alerts. Set up spending notifications from your billing settings so any unexpected charge from an unauthorized action appears in your inbox immediately. Attackers who gain access sometimes change billing details before making other changes.
  • Check recent login activity. MyKinsta logs recent login IPs. Review them periodically from User Settings for any unfamiliar locations or devices, especially after sharing account credentials temporarily or after any security incident at a service you use.

Final Word: How to Enable Two-Factor Authentication on MyKinsta

Enabling 2FA on MyKinsta takes under two minutes and significantly reduces the risk of unauthorised account access. Use an authenticator app such as Google Authenticator, Authy, or your password manager for the most secure setup. Save your setup key when you first enable it so you can recover access if you change devices. After 2FA is active, complete the account security checklist: SSH key auth for SFTP, regular API key rotation, team member audit, and a dedicated admin email. For troubleshooting site errors after securing your account, you can also enable WordPress debug mode in MyKinsta from the Tools tab. You can also manage your MyKinsta notifications to control which alerts and emails your account sends. For an overview of everything Kinsta includes across plans, see our Kinsta hosting guide. For user roles, billing, and domain management inside MyKinsta, see the Kinsta account and domain management guide.

FAQs
MyKinsta works with any TOTP-compatible authenticator app, including Google Authenticator, Authy, Microsoft Authenticator, and password managers with built-in 2FA support such as 1Password, Bitwarden, and Dashlane. Kinsta recommends app-based 2FA over SMS-based methods because authenticator apps are not vulnerable to SIM-swapping attacks.
Kinsta does not currently offer company-wide enforcement of 2FA at the account level. Each user must enable 2FA individually from their own User Settings in the MyKinsta dashboard. For team accounts, it is good practice to make 2FA setup part of your onboarding process when adding new team members.
If you lose access to your authenticator app, contact Kinsta support directly. They will verify your identity and remove 2FA from your account so you can log in and set it up again. To avoid being locked out, use an app like Authy that supports encrypted cloud backups, or save your 2FA setup key somewhere secure when you first enable it.
MyKinsta currently supports TOTP-based 2FA through authenticator apps only. Hardware security keys (YubiKey, Google Titan) and passkeys are not supported at this time. For the most secure TOTP setup, use an app with encrypted backup such as Authy, or store the TOTP setup key in a password manager like 1Password or Bitwarden.
The safest method is to transfer before wiping the old device. Authy supports multi-device sync: enable it on the old phone, install Authy on the new one, and approve from the old device. Google Authenticator has a built-in account transfer feature under its menu. 1Password and Bitwarden sync automatically across devices when you log in on the new phone. If you have already switched and cannot access the old authenticator, go to MyKinsta User Settings and disable 2FA using a backup code, or contact Kinsta support to verify your identity and remove the old 2FA so you can set it up fresh.
Some of the links on this blog are sponsored links
Newsletter
Stay Ahead in Hosting

Expert hosting tips, reviews, and exclusive deals — delivered straight to your inbox. Join thousands of smart webmasters.

You're in! Thanks for subscribing.
Something went wrong — please try again.
No spam, ever. Unsubscribe in one click.
Top