Password Security and Two-Factor Authentication for Ecommerce
Before You Start
Make a list of every account that has any level of access to your ecommerce business. This includes your ecommerce platform admin, hosting control panel, domain registrar, payment processor, business email, email marketing platform, analytics accounts, social media accounts, customer service tools, accounting software, and any other SaaS tools connected to your store. Most store owners discover they have 15 to 30 accounts that, if compromised, could affect their business. Each of these needs a unique password and, where available, two-factor authentication.
Download an authenticator app before you begin. Google Authenticator (free, iOS and Android), Authy (free, iOS and Android, with multi-device sync), and Microsoft Authenticator (free, iOS and Android) are the most widely supported options. Authy's multi-device sync feature is particularly useful because it allows you to access your 2FA codes from a new phone without manually re-adding every account, which is a significant time saver if you upgrade or lose your phone.
Step-by-Step Authentication Setup
A password manager generates, stores, and auto-fills complex passwords so you do not need to remember them. You only need to remember one master password, the one that unlocks the password manager itself. The leading options are 1Password ($36/year for individuals, $60/year for families), Bitwarden (free for basic features, $10/year for premium), and Dashlane ($60/year). All three provide browser extensions that auto-fill passwords on login pages, mobile apps for phone use, and secure sharing features for team accounts. Choose one and install the browser extension and mobile app. Create your master password as a passphrase of 4 to 6 random words (like "correct horse battery staple" but truly random), which is both stronger and more memorable than a short complex password. Your master password should be the only password you memorize, and it should never be used for any other account.
Open your password manager and begin adding your business accounts one at a time. For each account, log into the service, navigate to the password change page, and use your password manager's password generator to create a new password of at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. Save the new password in your password manager before clicking the change password button, so you do not lose access if the browser closes mid-process. If any of your current passwords are reused across multiple services, prioritize changing those first, because a single breach at any service that shares that password exposes every other service using it. Check haveibeenpwned.com with your email addresses to see if your credentials have already been exposed in known data breaches. If they have, change those passwords immediately regardless of whether you reuse them.
Starting with your most critical accounts (email, ecommerce platform, payment processor, hosting), enable 2FA in each service's security settings. The process is similar across services: find the 2FA or MFA section in security settings, choose "Authenticator App" as your method, scan the QR code with your authenticator app, enter the 6-digit code the app generates to confirm setup, and save the backup/recovery codes the service provides. Prioritize authenticator app-based 2FA over SMS-based 2FA. SMS codes can be intercepted through SIM swapping attacks where an attacker convinces your phone carrier to transfer your number to their SIM card. Authenticator app codes are generated locally on your device and cannot be intercepted remotely. If a service only offers SMS 2FA, enable it anyway because SMS 2FA is still far better than no 2FA, but make a note to monitor for authenticator app support in future updates. Here is where to find 2FA settings on the most common ecommerce services: Shopify under Settings, Users and Permissions, then your account, Security. WooCommerce/WordPress requires a plugin like WP 2FA or Wordfence Login Security. Stripe under Settings, Team and Security, Two-Step Authentication. PayPal under Settings, Security, 2-Step Verification. Google (for Analytics, Ads, Search Console) under myaccount.google.com, Security, 2-Step Verification. Cloudflare under My Profile, Authentication.
Every service that offers 2FA provides a set of backup or recovery codes that you can use to log in if you lose access to your authenticator app (lost phone, broken device, factory reset). These codes are your emergency access, and they must be stored securely but accessibly. Print them and store the printed sheet in a locked drawer, safe, or safety deposit box. Alternatively, store them in an encrypted note within your password manager, which is accessible from any device as long as you know your master password. Do not store recovery codes in an unencrypted file on your computer, in your email, or in a cloud document because anyone who accesses those locations gains the ability to bypass your 2FA. If your password manager offers a secure notes feature with encryption (1Password, Bitwarden, and Dashlane all do), using it for recovery codes keeps everything in one securely encrypted vault.
Customer account security protects your customers from account takeover and protects your store from the fraud and chargebacks that follow. Set minimum password requirements of at least 8 characters (NIST recommends not setting overly complex rules that lead to predictable patterns like "Password1!" but instead encouraging longer passwords). Implement account lockout after 5 to 10 failed login attempts, either locking for 15 to 30 minutes or requiring a CAPTCHA to continue. Enable rate limiting on your login endpoint to prevent credential stuffing attacks, limiting to 10 to 20 attempts per IP per minute. Offer optional 2FA for customer accounts, particularly for customers who store payment methods or have loyalty balances. Ensure your password reset flow sends a time-limited (1-hour expiry) unique link to the registered email address rather than sending the password itself, and invalidate the reset link after a single use. For high-value account changes like updating the email address or adding a new payment method, require the customer to re-enter their current password even if they are already logged in.
Team and Employee Account Security
If you have employees or contractors who access your ecommerce systems, their accounts need the same protection as yours. Create individual accounts for each team member rather than sharing a single admin login, because shared accounts make it impossible to audit who did what and prevent you from revoking individual access when someone leaves. Most ecommerce platforms, hosting providers, and SaaS tools support multiple user accounts with role-based permissions.
Require all team members to use a password manager and enable 2FA before granting them access. If your budget allows, use a team password manager plan (1Password Teams at $20/user/month, Bitwarden Organizations at $4/user/month) that allows you to share specific credentials without revealing the actual passwords, provision and deprovision access centrally, and enforce password policies across the team. When a team member leaves, immediately revoke their access to all systems, change any shared passwords they had access to, and deauthorize their devices from team tools.
For contractors who need temporary access, create time-limited accounts with the minimum permissions necessary for their task. If a web developer needs to modify your theme, give them access to the theme editor, not full admin access. If an accountant needs to export order data, give them read-only access to the orders section. Document which contractors have access to which systems, and revoke access immediately when their project ends.
Passkeys and the Future of Authentication
Passkeys are a newer authentication technology that replaces passwords entirely with cryptographic credentials stored on your devices. When you log into a service with a passkey, your device (phone, laptop, or security key) proves your identity using public-key cryptography, without any password being transmitted or stored on the server. Passkeys cannot be phished because the authentication is tied to the specific website domain, they cannot be stolen from server breaches because the server only stores a public key that is useless without your private key, and they cannot be guessed or brute-forced because there is no password to attack.
Shopify, Google, Microsoft, Apple, PayPal, and many other major services now support passkeys. If your ecommerce platform and critical services offer passkey support, enabling it provides stronger security than even password-plus-2FA combinations. The practical limitation is that passkeys require modern devices and operating systems (iOS 16+, Android 9+, Windows 10+, macOS Ventura+), and recovery from device loss requires either a synced passkey backup through iCloud Keychain, Google Password Manager, or a hardware security key as a backup authenticator.
What to Do if an Account Is Compromised
If you suspect any business account has been compromised, act immediately. Change the password on the compromised account. If you cannot access the account because the attacker changed the password, use the account recovery process or contact the service's support team directly. Revoke all active sessions (most services have an option to sign out all devices). Check for unauthorized changes: new admin users, modified payment settings, altered shipping addresses, injected code or new scripts, changes to email forwarding rules, and any exported data. Enable 2FA if it was not already active. Check your other accounts for compromise, because attackers who gain access to one account often attempt to access others, especially if passwords were reused. Review your incident response plan to determine if the compromise constitutes a data breach requiring customer notification.