Two-factor authentication FAQ

Two-factor authentication (2FA) adds an extra layer of security by requiring two different forms of verification when logging in. This includes the account password (something the user knows) and a second verification method (something the user has), such as a one-time code generated on a trusted device (like a smartphone) or a physical security key.

2FA adds an extra layer of security beyond just passwords, making it significantly harder for unauthorised users to access an account even if they have the password.

2FA significantly reduces the risk of unauthorised access to your xneelo account. This is in the best interest of our customers to protect their digital assets and limit the possibility of an account compromise.

We offer three 2FA methods:

• Authenticator application on your mobile device, which generates time-based one-time passcodes (TOTP) that you enter when logging in.
• SMS one-time code is a temporary code sent via SMS to your registered phone number.
• Security key, a physical device (such as a USB or NFC key) that provides hardware-based authentication using standards like WebAuthn. You verify your login by inserting or tapping the key and confirming the request for even stronger protection.
  
  These methods enhance the security of your account, ensuring that only you can access it. You can refer to this article for more information on how to set up 2FA.

We don’t offer email OTP as a 2FA method in the xneelo Control Panel because it is not considered a strong second factor for protecting high-risk accounts.

Why not?

1. Email accounts are often protected by a password only

If someone gains access to your email account, they could use it to intercept 2FA codes and access your Control Panel.

We strongly recommend that you do not reuse the same email address and password combination across services – especially not for both your Control Panel login and that same email mailbox.

2. Email can be delayed or intercepted

Email delivery is not always instant or guaranteed. Delays, forwarding rules, or compromised inboxes can introduce security risks.

3. It weakens the purpose of 2FA

Strong 2FA methods use something separate from your password, such as:

• An authenticator app
• A hardware security key
• Device-based authentication
  

Email is typically accessed using the same device and password ecosystem, which reduces the separation between factors.

What should I use instead?

We recommend using an authenticator app or security key.  These methods generate secure, time-based codes or cryptographic challenges that cannot be intercepted through email.

What about email OTP in konsoleH?

For customers who still use our earlier Control Panel, konsoleH, email OTP is available there to provide additional flexibility.

In our newer xneelo Control Panel, built on newer technology, customers have access to stronger authentication options – including security keys and Google Authenticator. Each Collaborator can also manage their own 2FA method independently.

Because these more secure options are available, we have chosen not to include email OTP in the xneelo Control Panel. Our goal is to provide the strongest possible protection for all accounts.

If you have lost access to your 2FA device and did not configure a backup, you can contact us for assistance in resetting your 2FA. Once you log back in to your Control Panel, you will be prompted to reconfigure your 2FA and link a new or secondary device.

IMPORTANT: You should immediately remove any lost security keys or devices from their account to prevent unauthorised access

2FA is mandatory for all konsoleH and xneelo Control Panel users. You must have 2FA enabled to access your account. This added security measure helps protect your account if your username and password are ever compromised. 

Yes, 2FA for Webmail can be disabled at any time. We always recommend 2FA remain enabled for the safety of your email account. However, if you need to disable 2FA for Webmail, you can do so by following these steps.

If the 2FA code hasn’t come through after multiple attempts, please contact us for support.

There is no need to share 2FA credentials in the xneelo Control Panel. Each Collaborator has their own login credentials and can set up 2FA on their own account.

 For security reasons, we do not recommend sharing login or 2FA details. Instead, you can invite additional users as Collaborators and assign them access to the relevant products.

Each Collaborator has their own login credentials and their own 2FA linked to their account.

If you need to reset your own 2FA, you can contact us and we will assist you with the reset.

For security reasons, you are not able to request a reset of the account owner’s 2FA on their behalf. The account owner would need to contact us directly to request this.

Yes.  2FA is required at every login.

Your account gives access to important features like domains, DNS, email settings, website files, and billing information.  Because of this, we apply 2FA at every login to provide consistent protection against password leaks, credential-stuffing attacks, and unauthorised access.

While some services allow trusted devices to skip 2FA, this can increase risk, especially on shared or compromised devices.  Requiring 2FA each time ensures your account remains protected, regardless of where or how you log in.

We continually review our security measures to balance protection and usability, but there are no planned changes to this requirement at this time.