Skip to content

Authentication Options

For CERN Account Holders

The following Authentication methods are supported:

Method Usage notes
CERN Account Log in using your CERN username (not email) and password
Kerberos Use your local Kerberos token. This requires that you have a centrally managed device or have configured Kerberos for your browser
Two-factor with Authenticator App Log in with your CERN Account, followed by a second factor generated by an Authentication Application
Two-factor with Yubikey Log in with your CERN Account, followed by a second factor generated by a Yubikey hardware token.

For Visiting Users

The following Authentication methods are supported:

Method Usage notes
eduGAIN Only possible if you have an account at an Institute or University that participates in the global Identity Federation called eduGAIN. Your Identity Provider must release data about you (name, email and an identifier), and must comply with security policies.
Social Account Log in using an account from a social provider such as LinkedIn, Google or Github. If you don't already have an account you can simply choose a provider and create one.
Guest Account You can create an account using an email of your choice at https://users-portal.web.cern.ch/guest-registration

Not-supported

Certificate Authentication

The new SSO system aims to provide a modern experience, in line with up-to-date security practices and common user workflows. Certificate Authentication is slowly being phased out by Grid and other services, with the aim that users should not need to handle their own personal certificates. Consequently there is currently no plan to enable Certificate Authentication in the new SSO. Users that can authenticate using a CERN Grid certificate have other authentication options available, and therefore certificates do not provide additional access possibilities to CERN services.