Your GoHighLevel account holds access to everything—client data, campaign automations, contact lists, and business-critical workflows. When you update your phone number, you're changing one of the most sensitive account credentials. Without proper security protocols, a compromised phone number could give bad actors a backdoor into your entire system. That's why GoHighLevel now requires mandatory two-factor authentication (2FA) for phone number updates. This guide walks you through enabling 2FA, understanding why it matters, and protecting your account at every level. Ready to lock down your business? Start with a free 30-day GoHighLevel trial to see these security features in action.
Why 2FA Matters for Phone Number Updates
Your phone number is a gateway. Email addresses can be reset, passwords can be changed—but your phone number is often tied to account recovery, SMS notifications, and authentication workflows. In GoHighLevel, your phone number is linked to critical account operations. If someone gains control of it without your knowledge, they could:
- Intercept 2FA codes sent via SMS during login attempts
- Receive client notifications and sensitive campaign data
- Change account settings and lock you out of your own system
- Access client contact information and business automations
That's why GoHighLevel implemented mandatory 2FA for phone number updates. Before you can change your phone number in account settings, you must verify your identity using a second authentication factor—typically an authenticator app. This adds a crucial layer of protection that makes unauthorized phone number changes nearly impossible, even if someone has your password.
How to Enable 2FA in GoHighLevel: Step-by-Step
Enabling 2FA is straightforward and takes less than five minutes. Here's the exact path:
- Log into your GoHighLevel account at your agency dashboard
- Navigate to Settings by clicking the gear icon or your profile menu
- Select "My Profile" from the settings submenu
- Locate "Setup Two-Factor Authentication (2FA) App" — you'll see this as an option in your security settings
- Choose your authenticator app (covered in detail below)
- Scan the QR code or manually enter the setup key into your authenticator app
- Enter the 6-digit code generated by your authenticator app to verify the setup
- Save backup codes in a secure location for account recovery
Once this is complete, 2FA is active on your account. Any phone number change will require you to enter a code from your authenticator app, even if an attacker has your password.
Authenticator App Options: Which One Should You Use?
GoHighLevel supports any TOTP (Time-based One-Time Password) authenticator app. The most popular options are:
- Google Authenticator — Free, lightweight, available on iOS and Android. No account sync; if you lose your phone, you lose access without backup codes.
- Microsoft Authenticator — Free, syncs across Microsoft devices, includes biometric login options, easier account recovery.
- Authy — Free with premium backup features, allows multi-device sync, backup encryption, very user-friendly interface.
For most GoHighLevel users managing agency accounts, I recommend Microsoft Authenticator or Authy because they offer cloud backup and multi-device sync. If you lose your phone, you won't be locked out of your account. However, Google Authenticator is fine if you're disciplined about saving your backup codes immediately after setup.
💡 Pro Tip
Whatever app you choose, download it on your phone before starting the 2FA setup in GoHighLevel. Have it ready so you can scan the QR code immediately. This prevents setup delays and reduces the chance of losing the setup key.
This is built into GoHighLevel. Try it free for 30 days →
Setting Up 2FA via Authenticator App
Once you've chosen your authenticator app and navigated to the 2FA setup page in GoHighLevel, follow these steps:
Option 1: QR Code Scan (Recommended)
- Open your authenticator app
- Tap the "+" or "Add" button to create a new authentication entry
- Select "Scan QR Code" or "Scan a barcode"
- Point your phone camera at the QR code displayed in GoHighLevel
- The app will automatically configure your account
- GoHighLevel will now display a 6-digit code that refreshes every 30 seconds
- Enter this 6-digit code into the GoHighLevel confirmation field
- Click "Verify" to complete setup
Option 2: Manual Entry
If you can't scan the QR code, GoHighLevel provides a setup key (a long string of characters). Tap "Enter a setup key" in your authenticator app and paste this key. The process is identical from that point forward.
After verification, GoHighLevel displays backup codes—typically 10 one-use codes. Save these codes immediately in a password manager or secure document. If you lose access to your authenticator app, these codes are your only way to regain account access.
Updating Your Phone Number After 2FA is Enabled
With 2FA active, changing your phone number now requires an extra verification step:
- Go to Settings → My Profile
- Find your phone number field and click to edit
- Enter your new phone number
- GoHighLevel will prompt you for a 2FA code
- Open your authenticator app and copy the 6-digit code currently displayed
- Paste this code into the GoHighLevel prompt
- Confirm the phone number update
This mandatory verification ensures that even if someone has your login credentials, they cannot silently change your phone number without access to your authenticator app. This is precisely the protection level your agency account needs.
Best Practices for 2FA and Account Security
1. Enable 2FA for All Team Members
If your GoHighLevel account manages multiple agency locations or has team members with account access, require all of them to enable 2FA. A single unprotected team account is a vulnerability for your entire operation.
2. Store Backup Codes Securely
Use a password manager like 1Password, LastPass, or Dashlane to store your 2FA backup codes. Never store them in plain text files or unencrypted documents. If your computer is compromised, backup codes in plain text are worthless.
3. Test Your Backup Access Plan
Before relying on 2FA, test your backup strategy. Verify that your backup codes work, that you can access them from your password manager, and that you know how to use them if your phone is lost.
4. Keep Your Authenticator App Updated
App updates often include security patches. Set your authenticator app to auto-update, or manually check for updates monthly. This prevents known vulnerabilities from exposing your 2FA codes.
5. Use a Unique, Strong Master Password
2FA protects your phone number and account settings, but your master password still gates access to the entire account. Use a password manager to generate and store a unique 16+ character password for GoHighLevel.
Frequently Asked Questions
What happens if I lose my phone and can't access my authenticator app?
This is exactly why backup codes exist. Use one of your saved backup codes in place of the 6-digit code. Each backup code can only be used once. After you use a backup code, log back in and either restore your authenticator app on a new phone or switch to a different authenticator app by disabling and re-enabling 2FA.
Can I use 2FA on multiple devices?
If you use Microsoft Authenticator or Authy, yes—these apps sync across devices. Google Authenticator does not sync automatically, so you'd need to set it up separately on each device or rely on backup codes. For this reason, Authy and Microsoft Authenticator are better for multi-device setups.
Does 2FA apply to mobile app logins as well?
Yes. When you log into the GoHighLevel mobile app after enabling 2FA, you'll be prompted for a 2FA code during login. This protects your account on all devices and platforms.
Is 2FA mandatory for all GoHighLevel users?
2FA is mandatory for phone number updates—meaning you cannot change your phone number without it enabled. However, enabling 2FA for general login is currently optional but highly recommended for all agency accounts. GoHighLevel may make it mandatory in the future as part of broader security enhancements.
What if I can't scan the QR code during setup?
GoHighLevel provides a manual setup key for this exact scenario. Instead of scanning the QR code, tap "Enter a setup key manually" in your authenticator app and paste the key that GoHighLevel displays. The result is identical to scanning.