CertCentral two-factor authentication account configurations

Two-factor authentication adds another layer of security to your CertCentral® account by allowing you to require two methods of identity verification before someone can sign in and access account information.

To configure or edit two-factor authentication rules for your account, you must be an account administrator.

When working with your account manager to set up two-factor authentication for your account, you have three account setting options:

1. Do not force (default setting)

By default, all CertCentral accounts come with the two-factor authentication security feature. However, it is not turned on by default. This provides you with full control of how and when two-factor authentication is implemented for your account:

  • Turn two-factor on or off for your account as needed.
  • Determine which second factor is used: client certificate or one-time password.
  • Configure two-factor authentication rules for all account users and for specific account users (for example, Jane Doe in IT).

2. Client certificate

This setting automatically enforces two-factor authentication for the entire account and requires all account members to use their username and password and a client certificate to sign in to their account.

Once this option is enabled for your account, the next time anyone tries to sign in to CertCentral (including you), they will be required to generate and initialize their client certificate before they can access their account.

You can still configure rules for specific individual users (for example, John Doe in IT) requiring them to use a one-time password (OTP) as their second form of authentication.

3. One-time password (OTP)

This setting automatically enforces two-factor authentication for the entire account and requires all account members to use their username and password and a one-time password to sign in to their account.

Once this option is enabled for your account, the next time anyone tries to sign in to CertCentral (including you), they will be required to initialize their OTP app or device.

You can still configure rules for individual users (for example, John Doe in IT) requiring them to use a client certificate as their second form of authentication.