Configuring and Using Two-Factor Authentication for Your Direct Cert Portal
Two-factor authentication increases the security of your Direct accounts by allowing you to require two methods of identity verification before someone can log into the Direct Cert Portal to access their account. You can require two-factor authentication for all account users and for specific individual users (i.e., Jane Doe in IT).
- » Configuring Two-Factor Authentication
- » Using Two-Factor Authentication
- » Managing Client Certificates
Direct ISSOs
If you are a Direct user who has the ability to approve certificate requests (ISSOs), see Two-Factor Authentication Requirements for Direct ISSO Accounts.
Configuring Your Two-Factor Authentication Rules
These instructions are for Direct admins and explain how to configure your Two-Factor Authentication rules/requirements for your Direct account.
How to Configure Your Two-Factor Authentication Requirements
Configuring your Two-Factor Authentication Rules for Your Direct Account
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
Configuring an Account-wide Requirement.
-
To the right of Two-Factor Authentication Requirements, click Add a requirement.
-
In the Create a Two-Factor Authentication Requirement section, under Authentication type select the second factor authentication type that you want to require all account users to use to log into their Direct account.
-
Client Certificate requirement
Select this option if you want all account users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
-
One-time Password (OTP) requirement
Select this option if you want all account users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
-
-
Under Apply rule to, select All account users.
-
Click Add Requirement.
You should receive the “Requirement is successfully added.” message.
The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
-
-
Configuring a requirement for a specific individual user.
-
To the right of Two-Factor Authentication Requirements, click Add a requirement.
-
In the Create a Two-Factor Authentication Requirement section, under Authentication type, select the second factor authentication type that you want to require this user to use to log into their Direct account
-
Client Certificate
Select this option if you want users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
-
One-Time Password (OTP)
Select this option if you want users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
-
-
Under Apply rule to, select Specific user and then in the drop-down list, select the user that you want this rule/requirement to target.
-
Click Add Requirement.
You should receive the “Requirement is successfully added.” message.
The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
-
-
Allowing OTP Authenticators to verify their computer for 30 days.
(Optional - For OTP Authenticators Only)To display the Remember verification on this computer for 30 days check box for OTP authenticators, check Display “Remember verification for this computer” checkbox during OTP login.
This option allows your OTP authenticators to verify the computer that they are logging in on. For the next thirty days, they can bypass entering the verification code each time they log in from that computer. At the end of the thirty days, OTP authenticators are required to enter their verification code and decide if they want to remember the verification on that computer for the next thirty days.
If you don’t check this option, than the Remember verification on this computer for 30 days check box remains hidden.
-
You have now successfully configured your Two-Factor Authentication requirements for logging into your DigiCert account.
-
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.
Generating Your Client Certificate
Initializing Your OTP App Device
How to Configure an Account-wide Requirement
Configuring an Account-wide Requirement for Your Direct Account
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
To the right of Two-Factor Authentication Requirements, click Add a requirement.
-
In the Create a Two-Factor Authentication Requirement section, under Authentication type select the second factor authentication type that you want to require all account users to use to log into their Direct account.
-
Client Certificate requirement
Select this option if you want all account users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
-
One-time Password (OTP) requirement
Select this option if you want all account users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
-
-
Under Apply rule to, select All account users.
-
Click Add Requirement.
You should receive the “Requirement is successfully added.” message.
The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
-
You have now successfully configured an account-wide requirement for logging into your Direct account.
-
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct accont and generate their Client Certificates and initialize their OTP App devices.
Generating Your Client Certificate
Initializing Your OTP App Device
How to Configure a Requirement for a Specific Individual User
Configuring a Requirement for a Specific Individual User for Your Direct Account
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
To the right of Two-Factor Authentication Requirements, click Add a requirement.
-
In the Create a Two-Factor Authentication Requirement section, under Authentication type, select the second factor authentication type that you want to require this user to use to log into their Direct account
-
Client Certificate
Select this option if you want users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
-
One-Time Password (OTP)
Select this option if you want users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
-
-
Under Apply rule to, select Specific user and then in the drop-down list, select the user that you want this rule/requirement to target.
-
Click Add Requirement.
You should receive the “Requirement is successfully added.” message.
The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
-
You have now successfully configured a requirement for a specific user for logging into your Direct account.
-
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.
Generating Your Client Certificate
Initializing Your OTP App Device
How to Allow OTP App Authenticators to Verify a Computer for 30 Days
Configuring the Option to Allow OTP App Authenticators to Verify a Computer for 30 Days
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
To display the Remember verification on this computer for 30 days check box for OTP authenticators, check Display “Remember verification for this computer” checkbox during OTP login.
This option allows your OTP authenticators to verify the computer that they are logging in on. For the next thirty days, they can bypass entering the verification code each time they log in from that computer. At the end of the thirty days, OTP authenticators are required to enter their verification code and decide if they want to remember the verification on that computer for the next thirty days.
If you don’t check this option, than the Remember verification on this computer for 30 days check box remains hidden.
-
You have now successfully configured the option to allow OTP App authenticators to verify a computer for 30 days for logging into your Direct account.
-
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.
Generating Your Client Certificate
Initializing Your OTP App Device
Using the Second Factor of Your Two-Factor Authentication
These instructions explain how to use Two-Factor Authentication after it has been configured for your Direct account. The instructions are divided into two sections: Admin Specific instructions and User instructions.
User Instructions
Generating Your Client Certificate
After your administrator has turned on and configured two-factor authentication for your account, you must initialize the second factor of your two-factor authentication: your Client Certificate. The next time that you log into your Direct account you will be asked to generate your Client Certificate.
If you need to initialize your OTP App device, see Initializing Your OTP App Device.
Depending on which Web browser you use to initialize/generate your Client Certificate, you may need to use that browser to log into the Console.
- Windows installs the Client Certificate in its own Certificate Store and can be shared by Chrome and Internet Explorer.
- Mac installs the Client Certificate in its own Certificate Store and can be shared by the keychain for Safari and Chrome.
- Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac).
For more information about taking care of your Client Certificate, see Managing Your Client Certificate.
How to Generate Your Client Certificate
-
Log into your DigiCert account.
-
On the Two-Factor Authentication Client Certificate Initialization page, click Generate Certificate.
-
When the browser presents your certificates, select your newly generated Client Certificate and click OK.
-
You should now be logged into your account.
Your certificate should now be installed in the Certificate Store related to the browser that you are currently using. We recommend that you back up your Client Certificate.
(Windows) Backing Up/Exporting Your Client Certificate.
(Mac) Backing Up/Exporting Your Client Certificate.You will now use two-factor authentication each time you log into your DigiCert account. See Signing In with Your Client Certificate.
Initializing Your OTP App Device
After your administrator has turned on and configured two-factor authentication, you must initialize the second factor of your two-factor authentication: your OTP App Device. The next time you log into your Direct account, you will be asked to initialize your OTP App Device.
If you need to generate your Client Certificate, see Generating Your Client Certificate.
Because our Two-Factor Authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a Mobile Application that supports the TOTP protocol.
Most OTP Applications (compatible with the TOTP protocol) will work with our process. The following list contains the OTP Applications that we have tested:
- Google Authenticator: Android, iPhone, Blackberry
- Authy: Android, iPhone
- Authenticator: Windows Phone
- Duo Mobile: iPhone
How to Initialize Your OTP App Device
-
Install an OTP App that is compatible with the TOTP protocol on you mobile device.
-
Log into your DigiCert account.
-
On the One-Time Password (OTP APP) Device Initialization page, do the following:
-
On your mobile device, open your OTP App.
-
Use your OTP App to scan the QR code.
-
In the Enter code box, type the code that is displayed on you device.
-
Click Submit.
-
-
You should now be logged into your account.
Your OTP App device should now be initialized. You will now use two-factor authentication each time you log into your DigiCert account. See Signing In with Your OTP App Device.
Signing In with Your OTP App Device
After you have initialized your OTP App device, you will need to supply your account credentials and use the code generated in your OTP App to log into your DigiCert account.
If you need to sign in with your Client Certificate, see Signing In with Your Client Certificate.
How to Sign In Using Your OTP App
-
Log into your DigiCert account.
-
On the DigiCert Account Login page, in the Username and Password boxes, type your username and password and then, click LOGIN.
-
On the Enter Verification Code page, in the Enter code box, type the code displayed in your OTP App.
-
(Optional) If you want to verify this computer for thirty days, check Remember verification on this computer for 30 days.
Depending on how your OTP authentication requirement was configured, you may be able to remember the verification on this computer. With this option checked, when you log into your DigiCert account from this computer, you are only required to enter your credential for the next thirty days. At the end of thirty days, you are required to enter your verification code again and choose whether to verify this computer for another thirty days.
-
Click Submit. This completes the authentication process and logs you into your account.
Admin Specific Instructions
Admin: Resetting a User’s Client Certificate
If one of your users loses their Client Certificate (loses computer, computer breaks down, or certificate gets deleted from their computer or the Certificate Store), you can reset their Client Certificate in your Direct account.
How to Reset a Client Certificate
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
On the Two-Factor Authentication page, under Issued Client Certificate, in the Reset column of the user who lost their certificate, click the Reset symbol.
-
The user is sent an email that contains instructions on how to reset their Client Certificate.
The next time that user logs into their Direct account, they will need to generate a new Client Certificate.
Admin: Resetting a User’s OTP App Device
If one of your users loses their OTP App Device (phone, tablet, iPad, etc.), you can reset their OTP App Device in your Direct account.
How to Reset an OPT App Device
-
Log into your Direct account as an Admin.
-
In the Console, in the banner menu, click Settings > Authentication Settings.
-
On the Two-Factor Authentication page, under One-Time Password (OTP) Device, in the Reset column of the user who lost their device, click the Reset symbol.
-
The user is sent an email that contains instructions on how to reset their OTP Device.
The next time that user logs into their Direct account, they will need to initialize there OTP App Device.
Managing Your Client Certificate
After generating a Client Certificate as the second factor for your authentication process, we recommend that you back it up. Once you have backed up (exported) your Client Certificate, you can do the following things with it, if needed:
-
Import it into other Certificate Stores so that you can use multiple Web browsers to log in to your Direct account.
-
Transfer it to another computer should you get a new one. Then, you can install it in the necessary Certificate Stores on your new computer.
For instructions about how to verify Client Certificate installation, back up/export your Client Certificate, and import your Client Certificate. See Managing Your Client Certificates.
