Two-Factor Authentication for the DigiCert® Management Console
Two-factor authentication increases the security to access your DigiCert Accounts by allowing you to require two methods of identity verification before someone can log into the DigiCert® Management Console to access your account information. You can require two-factor authentication for all account users, for users with specific roles (i.e. Admin), and for specific individual users (i.e. Jane Doe in Accounting).
Two-Factor Authentication Requires “Two” Items for Login
1- “Something You Know"
The first authentication factor required for logging into the DigiCert® Management Console is “something you know”: your DigiCert account credentials. These credentials are always required, even if you decide not to implement two-factor authentication.
However, for two-factor authentication, entering your credentials is only the first step to logging into your DigiCert account.
2- “Something You Have”
The second authentication factor that can also be required for logging into the DigiCert® Management Console is “something you have”: a Client Certificate installed on a computer/device or a one-time password generated from an OTP App device.
• Client Certificate Installed on a Computer/Device
A Client Certificate allows users to log in only from the computer/device on which their certificate is installed. Client Certificates may also be limited to a specific browser(s).
Windows installs the Client Certificate in its own Certificate Store and can be accessed by Chrome, Microsoft Edge, and Internet Explorer.
Mac installs the Client Certificate in its own Certificate Store and can be accessed by the keychain for Safari and Chrome.
Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac OS).
• One-time Password Generated from an OTP App Device
An OTP App installed on a mobile device allows users to log in from any computer/device. Because our Two-Factor Authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a Mobile Application that supports the TOTP protocol.
The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a short period of time and once expired, cannot be reused. OTPs with short life-spans help enhance security.
Most OTP Applications (compatible with the TOTP protocol) will work with our process. The following list contains the OTP Applications that we have tested:
Google Authenticator: Android, iPhone, Blackberry
Authy: Android, iPhone
Authenticator: Windows Phone
Duo Mobile: iPhone