Simple MFA works with any BigCommerce store running a Stencil theme, including Cornerstone and all themes from the BigCommerce Theme Marketplace. Custom Stencil themes are also supported. Installation requires a small change to your theme's login page template — the full replacement content is provided and takes a few minutes to apply.
Legacy Blueprint themes are not supported.
Mostly no. Installation involves installing the app from the BigCommerce App Marketplace, adding a script tag via Script Manager, and making a small change to your theme's login page template. The theme change uses fully provided content — most store owners are comfortable completing it themselves in a few minutes. If not, any BigCommerce developer can handle it quickly.
A guided process that applies the theme change automatically is also in progress. See the install guide for a full step-by-step walkthrough.
No. Simple MFA only intercepts customer account login. Guest checkout is completely unaffected — shoppers who check out without an account will not encounter the Simple MFA login page.
No. The Simple MFA script only activates once it has been added to Script Manager and enabled. You can complete setup and test with a specific customer account before enabling it for all customers.
A small script added to your storefront via Script Manager intercepts clicks on the standard BigCommerce login link and redirects customers to the Simple MFA hosted login page instead. The redirect preserves the return URL so customers land back on the correct page after signing in.
The hosted login page can be styled with your store's logo and brand colours on Standard and Enterprise plans.
Existing BigCommerce customers don't have a password in Simple MFA's system yet. When they enter their email on first login, they'll receive a magic link email. Clicking the link lets them set a password, after which they're signed in and can use their new password on all future logins.
This account claim process happens once per customer. It's automatic and requires no manual action from you.
MFA is optional by default. After setting their password, customers are invited to enrol in TOTP MFA but can skip it. You can configure MFA as mandatory for all customers from the admin panel if your security requirements demand it.
Any RFC 6238 TOTP app works — Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and others. Customers scan a QR code during enrolment and then use a 6-digit time-based code to log in.
During TOTP enrolment, customers are issued a set of single-use backup codes. These can be used in place of a TOTP code to regain access. Each backup code can only be used once.
If a customer has also lost their backup codes, you can disable MFA for their account from the Simple MFA admin panel, allowing them to log in with their password only. They can then re-enrol MFA at their next login.
The Simple MFA login page includes a forgot password link. Customers enter their email and receive a password reset link. The link expires after 30 minutes. The entire flow is self-service and does not require any action from you.
No. Simple MFA works with your existing BigCommerce customer accounts. Customers don't need to register again — they just need to set a password on their first login via the account claim flow. Their order history, saved addresses, and all other account data is unchanged.
Yes, on Standard and Enterprise plans. You can upload your store logo and set your brand colours in the Simple MFA admin panel. The hosted login page will reflect your branding.
Custom login domains (e.g. login.yourstore.com) are available on the Enterprise plan.
Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations via the Web Crypto API — compliant with NIST SP 800-63B. Passwords are never stored in plain text and cannot be recovered. They are stored on Cloudflare's infrastructure, entirely separate from BigCommerce.
TOTP secrets are encrypted at rest using AES-GCM before being written to the database. The encryption key is a Cloudflare Worker secret and is never stored alongside the data.
All Simple MFA data (passwords, TOTP secrets, auth logs) is stored on Cloudflare's infrastructure. At launch, data is stored in the US. EU data residency is on the roadmap.
Simple MFA does not store any payment information or order data — only authentication credentials and login history.
Simple MFA stores only the minimum data necessary for authentication: a hashed password, an encrypted TOTP secret (if enrolled), and a login history log with IP address and user agent. No marketing data or tracking is performed.
A data processing agreement (DPA) is available on request for Enterprise customers. Full details are in the Privacy Policy.
All Simple MFA credential data is deleted within 30 days of uninstalling. Your BigCommerce customer accounts are not affected. After uninstall, customers will return to BigCommerce's native login flow.
Yes. Repeated failed login attempts trigger automatic account lockout. Cloudflare's native threat scoring is also applied at the network edge, blocking suspicious IPs before they reach the login page. Auth logs on the Standard plan let you review per-customer and store-wide login history.
Simple MFA is currently in early access. Leave your email and we'll reach out when it's ready.
No spam. Unsubscribe any time.
You're on the list — we'll be in touch soon.