Skip to main content

Configure two-factor authentication requirements for your CertCentral account

You must be a CertCentral administrator to configure or edit two-factor authentication rules for your CertCentral account.

Before you Begin

  • One-time password (OTP) default setting

    For accounts that use a one-time password (OTP) app by default, you don't need to configure OTP app requirements for users. When a user signs in, they must initial their OTP app and enter the temporary password before accessing their account.

    You can configure new two-factor authentication requirements and allow users to authenticate using OTP email verification or client certificates.

  • Client certificate default setting

    For accounts configured to use a client certificate by default, you don't need to configure client certificate requirements for your users. When a user signs in, they must generate a client certificate and install it on their device before accessing their account.

    To complete the two-factor authentication process, the user must sign in from the device the certificate is installed so they can present it when required by the browser.

    You can configure new two-factor authentication requirements and allow users to authenticate with an OTP app or OTP verification email.

Configure a two-factor authentication requirement

  1. In your CertCentral account, in the left main menu, go to Settings > Authentication Settings.

  2. On the Authentication settings page, on the Two-factor authentication tab, under Two-Factor authentication (2FA) settings, select Add 2FA requirement.

  3. In the Add 2FA requirement side panel, in the Apply rule to dropdown, select the user you want the requirement to apply to.

  4. Under Authentication type, select the second form of authentication you want to require:

    • Client Certificate

      • The next time the user signs in, they must generate a client certificate in their browser.

      • The following browsers support DigiCert KeyGen client certificate generation:

        • Windows: Microsoft Edge, Chrome, and Firefox

        • macOS: Safari, Chrome, and Firefox

    • One-Time Password (OTP)

      Under OTP authentication methods, you can check one or both methods. If you check both methods, the user can choose which method to use each time they sign in.

      • Email

        The next time the user signs in, CertCentral sends a temporary password to the email address in their CertCentral account Profile Settings.

      • App/device

        The next time the user signs in, they must install and initialize a supported OTP app on their mobile phone.

        DigiCert-tested apps:

        • Google Authenticator: Android, iPhone, Blackberry

        • Authy: Android, iPhone

        • Authenticator: Android, iPhone, Windows Phone

        • Duo Mobile: iPhone

  5. When ready, select Create requirement.

What's next

On the Authentication Settings page (in the left main menu, go to Settings > Authentication Settings), in the Two-Factor authentication (2FA) settings section, each new two-factor authentication requirement is added to the table under Applied settings.

Additionally, as users sign in, generate client certificates, initialize OTP apps, or request OTP verification emails, they are added to the applicable table——One-time password (OTP) methods or Issued client certificates.