How to Enable 2FA in GoHighLevel — Secure Your Agency

Your GoHighLevel agency account holds sensitive client data, team credentials, and billing information. One compromised password opens the door to phishing attacks, SIM-swap fraud, and unauthorized access. Two-Factor Authentication (2FA) is your first line of defense—and it takes less than 5 minutes to set up.

In this guide, I'll walk you through enabling 2FA using authenticator apps (the most secure method), explain why it matters for agency security, and show you how to roll it out across your team. If you haven't experienced GoHighLevel's security features firsthand, start a FREE 30-day trial to explore the full platform.

Why 2FA Matters for Your Agency

A single password isn't enough anymore. Cybercriminals use sophisticated tactics—credential stuffing, phishing emails, dictionary attacks—to breach accounts. Even a "strong" password can be compromised if you reuse it across platforms.

With 2FA enabled, attackers need two pieces of information: your password AND a time-limited code from your authenticator app. Even if they steal your credentials, they can't access your account without that second factor.

For agencies managing multiple client accounts, team workflows, and integrations, 2FA isn't optional—it's essential. A breach doesn't just affect you; it exposes your clients' data, damaging trust and creating legal liability.

Authenticator Apps vs. SMS-Based 2FA

GoHighLevel supports both authenticator apps and SMS-based 2FA. Here's why authenticator apps are the better choice:

Bottom line: Use authenticator apps for your primary 2FA method. Keep SMS as a backup only.

How to Enable 2FA in Your GoHighLevel Account

Follow these steps to activate 2FA for your personal GoHighLevel account:

1. Log into GoHighLevel and navigate to your account dashboard.
2. Click your profile icon in the top-right corner and select Account Settings.
3. Go to the Security tab on the left sidebar.
4. Locate "Two-Factor Authentication" and click Enable or Set Up.
5. Choose "Authenticator App" as your 2FA method (recommended).
6. A QR code will appear on screen. Keep this page open—you'll need it in the next step.

Don't close this window yet. The next section walks you through pairing your authenticator app with this QR code.

This is built into GoHighLevel. Try it free for 30 days →

Setting Up the Authenticator App

Popular authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, and 1Password. Here's how to connect one:

1. Download an authenticator app if you don't already have one. (Google Authenticator is free and widely trusted.)
2. Open the app on your phone and tap the "+" button to add a new account.
3. Choose "Scan QR Code" from the menu.
4. Point your phone's camera at the QR code displayed in GoHighLevel's Security settings.
5. The app will automatically pair with your GoHighLevel account and generate a 6-digit code that refreshes every 30 seconds.
6. Enter the 6-digit code into the GoHighLevel verification field to confirm setup.
7. Click "Confirm" or "Verify."

Congratulations—your account is now protected by 2FA. From your next login, you'll enter your password, then be prompted for a code from your authenticator app.

Requiring 2FA for All Team Members

As an agency owner or admin, you can mandate 2FA for all users in your GoHighLevel workspace. This ensures no team member leaves your account vulnerable.

1. Go to Account Settings and select the Security tab.
2. Find "Require 2FA for All Users" and toggle it ON.
3. A confirmation dialog appears. Read it carefully—all team members will be required to set up 2FA on their next login.
4. Click "Enable" to enforce the policy.
5. Notify your team via email or Slack that 2FA is now required and provide them with setup instructions.

Team members will see a prompt to set up 2FA when they log in. They'll follow the same authenticator app setup process outlined above. You can't bypass this requirement—it applies to everyone with account access.

Best Practices for Managing Agency-Wide Security

Enabling 2FA is step one. Here's how to maintain strong security across your entire agency:

• Use Custom Roles and Permissions: Not every team member needs admin access. Create roles that limit who can modify client data, change settings, or manage billing.
• Educate Your Team: Share why 2FA matters. Explain that authenticator apps are safer than SMS, and why they shouldn't share their backup codes.
• Monitor Login Activity: Periodically check who's accessing your account and from where. Unusual logins are a red flag.
• Rotate Passwords Quarterly: Even with 2FA, strong passwords matter. Enforce regular password updates across your team.
• Secure Backup Codes: Store them in a password manager (like 1Password or Dashlane), not in plain text files.
• For SaaS Sub-Accounts: If you're using GoHighLevel's SaaS Mode, enable 2FA for newly created sub-accounts through SaaS Configurator > Advanced Settings > 2-Factor Authentication.

Backup Codes: Your Safety Net

When you enable 2FA, GoHighLevel generates backup codes—usually 8-10 single-use codes that work like authenticator app codes. If you lose access to your phone or the authenticator app crashes, backup codes are your only way back in.

What to do with backup codes:

• Download and save them immediately after enabling 2FA.
• Store them in a secure password manager—never screenshot or email them.
• Print a physical copy if you prefer, and lock it in a safe.
• Share one or two backup codes with a trusted co-owner or manager as an emergency recovery option.
• Never use them casually—they're for emergencies only.

2FA isn't a one-time setup—it's the foundation of ongoing account security. By enabling authenticator app support, requiring it across your team, and managing backup codes responsibly, you're protecting not just your agency, but your clients' trust. Start today, and your future self will thank you the moment a phishing email lands in your inbox and bounces off your 2FA shield.