CertCentral two-factor authentication

Looking to add another layer of security to CertCentral? We recommend implementing two-factor authentication for your account.

Two-factor authentication allows you to require two methods of identity verification before someone can sign in to CertCentral and purchase certificates or access account information.

Requiring two forms of identification means a bad actor who gains access to someone's account password does not have instant account access. Why? Without the required second form of authentication, no one can sign in to that account.

Something you know

By default, CertCentral requires one form of authentication: something only you know. Each user must create credentials—username and password—for their CertCentral account before they sign in. These credentials are always required, even if you don't implement two-factor authentication.

However, with two-factor authentication, entering your credentials is only the first step to accessing your CertCentral account.

Something you have

CertCentral allows you to require a second form of authentication before someone can sign in: something only you have. When implementing two-factor authentications, the "something you have" can either be a client certificate installed on a device (such as your laptop or phone) or a one-time password generated from a one-time password (OTP) application device

Client certificate installed on a device

Client certificates let you control what devices a user can access their account from. Users can only access their account from a device their client certificate is installed on. Client certificates may also require a user to use a specific browser to access their account.

  • Windows operating systems install the client certificate in their Certificate Store. Microsoft Edge, Chrome, and Internet Explorer can access these certificates.
  • macOS installs the client certificate in their Certificate Store. Safari and Chrome can access these certificates.
  • Firefox installs the client certificate in their Certificate Store. Only Firefox can access these certificates for Windows and macOS.

One-time password generated from an OTP app or device

An OTP app installed on a mobile device allows users to log in from any device. Because our two-factor authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a mobile application that supports the TOTP protocol.

The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a brief period. Once expired, the OTP cannot be reused. OTPs with short lifespans improve security.

Most OTP applications compatible with the TOTP protocol will work with our process. We tested these OTP applications:

  • Google Authenticator: Android, iPhone, Blackberry
  • Authy: Android, iPhone
  • Authenticator: Windows Phone
  • Duo Mobile: iPhone

Topics

Implement and use two-factor authentication

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.