This article is part of the X-Cart Two-Factor Authentication (2FA) Guide.
Setting up two-factor authentication
To protect your account, you will need a supported authenticator application installed on your smartphone (such as Google Authenticator, Authy, or 1Password).
To enable 2FA for your admin profile:
Log in to your X-Cart Admin area.
Click on your profile avatar in the top right corner and open your profile settings.
Navigate to the Two-Factor Authentication tab.
Open the authenticator app on your mobile device and scan the QR code displayed on the screen.
Tip: If you cannot scan the QR code, you can manually enter the alphanumeric secret key provided next to it.
Once scanned, your app will start generating 6-digit verification codes. Enter the current 6-digit code into the input field below the QR code.
Click the Verify & Enable 2FA button.
A success message will be displayed. That’s it — 2FA is now configured for your account.
Important: Immediately after enabling 2FA, you will see a Save Backup Codes pop-up.
These codes are crucial if you ever lose access to your mobile device. Please click Download .txt or Copy all codes and store the codes in a secure location. Once saved, click I saved my codes to close the window.
After that, the Two-Factor Authentication tab will show your current 2FA status and provide options to:
generate new codes,
reconfigure 2FA,
Remove 2FA.
Logging in with 2FA
Once 2FA is active, your login process will include a second security step:
Go to the X-Cart admin login page.
Enter your email and password as usual.
You will be prompted to enter a verification code.
Open your authenticator app, check the current 6-digit code, and enter it into the field.
Click Verify.
Managing your 2FA settings
You can manage your active 2FA configuration at any time by navigating back to the Two-Factor Authentication tab in your profile details.
Reconfiguring 2FA (Changing devices)
If you bought a new smartphone or want to switch to a different authenticator app, you need to reconfigure your setup:
Click Reconfigure 2FA at the bottom of the page.
A pop-up will appear with a new QR code.
Scan the new QR code with your new device and verify it.
Note: This action will invalidate your old authenticator app and generate a new set of backup codes.
Generating new backup codes
If you have used most of your backup codes or suspect they have been compromised:
Click the Generate new codes button.
Enter your account password to confirm the action.
Save the newly generated codes. Your old backup codes will immediately stop working.
Removing 2FA
To disable two-factor authentication for your account:
Click Remove 2FA at the bottom of the page.
Enter your account password to confirm the action.
Click the red Remove 2FA button in the pop-up. Your account will revert to password-only login.
Note for Secondary Admins: If the root administrator has enabled the "Require 2FA for all admins" security policy for the store, the Remove 2FA button will be disabled. You cannot remove 2FA while this store-wide policy is active.
Using backup codes
If you lose your phone or cannot access your authenticator app, you can use one of your saved backup codes to log in:
On the 2FA verification screen during login, click the Use a backup code instead link.
Enter one of your 8-character backup codes.
Click Verify.
Note: Each backup code can only be used once. Once you use a backup code to log in, it is highly recommended to navigate to your profile settings and Reconfigure 2FA to link a new device, or Generate new codes if you are running low. If you have lost both your device and your backup codes, please contact your store's root administrator to reset your 2FA settings.
Can't find answers you're looking for?
Email us at support@x-cart.com. We will be happy to help!
Related articles