Skip to main content

CertCentral two-factor authentication

Looking to add another layer of security to CertCentral? We recommend implementing two-factor authentication for your account.

Two-factor authentication allows you to require two methods of identity verification before someone can sign in to CertCentral and purchase certificates or access account information.

Requiring two forms of identification means a bad actor who gains access to someone's account password does not have instant account access. Why? Without the required second form of authentication, no one can sign in to that account.

Something you know

By default, CertCentral requires one form of authentication: something only you know. Each user must create credentials—username and password—for their CertCentral account before they sign in. These credentials are always required, even if you don't implement two-factor authentication.

However, with two-factor authentication, entering your credentials is only the first step to accessing your CertCentral account.

Something you have

CertCentral allows you to require a second form of authentication before someone can sign in: something only you have. When implementing two-factor authentications, the "something you have" can either be a client certificate installed on a device (such as your laptop or phone) or a one-time password generated from a one-time password (OTP) application device.

Client certificate installed on a device

Client certificates let you control what devices a user can access their account from. Users can only access their account from a device their client certificate is installed on. Client certificates may also require a user to use a specific browser to access their account.

  • Windows operating systems install the client certificate in their Certificate Store. Microsoft Edge, Chrome, and Internet Explorer can access these certificates.

  • macOS installs the client certificate in their Certificate Store. Safari and Chrome can access these certificates.

  • Firefox installs the client certificate in their Certificate Store. Only Firefox can access these certificates for Windows and macOS.

One-time password generated from an OTP app or device

An OTP app installed on a mobile device allows users to log in from any device. Because our two-factor authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a mobile application that supports the TOTP protocol.


The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a brief period. Once expired, the OTP cannot be reused. OTPs with short lifespans improve security.

Most OTP applications compatible with the TOTP protocol will work with our process. We tested these OTP applications:

  • Google Authenticator: Android, iPhone, Blackberry

  • Authy: Android, iPhone

  • Authenticator: Windows Phone

  • Duo Mobile: iPhone