CertCentral two-factor authentication
DigiCert requires all CertCentral accounts to use two-factor authentication: something you know (username and password) and something you have (one-time password or client certificate). By default, CertCentral requires you to use your credentials and a one-time password to access your account.
Why does DigiCert require two-factor authentication?
Two-factor authentication adds another layer of security to a CertCentral account. It requires users to provide two forms of identity verification before they can sign in to purchase certificates or view account information.
Requiring two forms of identification means if a bad actor gains access to your account password, they do not have instant account access. Why? No one can access your account without the required second form of authentication.
Something you know: username and password
The first form of authentication required to access your account is something only you know: username and password. Each new user must create credentials—username and password—for accessing their CertCentral account.
Something you have: One-time password or client certificate
CertCentral requires a second form of authentication before you can access your account, something only you have. By default, CertCentral requires a one-time password as your second factor. However, the "something you have" can be a one-time password or a client certificate.
One-time password
With a one-time password, you can access your account from any device. The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a limited time. Once expired, the OTP cannot be reused. OTPs with short lifespans improve security.
CertCentral supports the following one-time password methods:
One-time password (OTP) application
You can install an OTP app to generate a one-time password on your mobile device. Because our two-factor authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a mobile application that supports the TOTP protocol.
Most OTP applications compatible with the TOTP protocol work with our process. However, we tested these OTP applications:
Google Authenticator: Android, iPhone, Blackberry
Authy: Android, iPhone
Authenticator: Android, iPhone, Windows Phone
Duo Mobile: iPhone
One-time password Email verification
After entering your credentials, you can request a one-time passcode. CertCentral sends a temporary password to the email address in your CertCentral account Profile Settings.
Client certificate installed on a device
Client certificates allow you to control what device a user can access their CertCentral account from. A user can only access their account from a device on which their client certificate is installed. Client certificates may also require users to use a specific browser to access their account.
To generate a client certificate, use DigiCert's KeyGen tool to perform browser-based certificate key generation. The following browsers support DigiCert KeyGen client certificate generation:
Windows: Microsoft Edge, Google Chrome, or Firefox
macOS: Safari, Google Chrome, Firefox, or Microsoft Edge
Client certificates may also require users to use a specific browser to access their account.
Windows operating systems install the client certificate in their Certificate Store. Microsoft Edge and Chrome can access these certificates.
macOS installs the client certificate in their Certificate Store. Safari and Chrome can access these certificates.
Firefox installs the client certificate in its Certificate Store. Only Firefox can access these certificates for Windows and macOS.