Skip to main content

Two-factor authentication

Add another layer of security to your DigiCert ONE account with two-factor authentication. Users can only sign in if they have two forms of authentication: something you know and something you have.

Something you know

By default, DigiCert ONE requires one form of authentication: something you know. Each user must create a password and then enter their DigiCert ONE username and password to sign it.

Initially, the something you know is your DigiCert ONE username and password. If you set up single sign-on for your account, you can use your single sign-on credentials as something you know.

Something you have

DigiCert ONE allows you to require a second form of authentication before someone can sign in: something only you have. When implementing two-factor authentications, the "something you have" is a one-time password generated from a one-time password (OTP) application device.

One-time password generated from an OTP app or device

An OTP app installed on a mobile device allows users to log in from any device. Because our two-factor authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a mobile application that supports the TOTP protocol.

The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a brief period. Once expired, the OTP cannot be reused. OTPs with short lifespans improve security.

Most OTP applications compatible with the TOTP protocol will work with our process. We tested these OTP applications:

  • Google Authenticator

  • FreeOTP

Nota

Two-factor Authentication and SSO

When Two-factor authentication is enabled in Account Manager:

  • SSO using SAML

    You will be prompted to enter an OTP when signing in even if you have already provided an OTP to your IDP.

  • SSO using OIDC

    DigiCert will skip the OTP prompt if you have already provided an OTP to your Identity Provider (IDP).