Authentication Options
For CERN Account Holders
The following Authentication methods are supported:
| Method | Usage notes |
|---|---|
| CERN Account | Log in using your CERN username (not email) and password |
| Kerberos | Use your local Kerberos token. This requires that you have a centrally managed device or have configured Kerberos for your browser |
| Two-factor with Authenticator App | Log in with your CERN Account, followed by a second factor generated by an Authentication Application |
| Two-factor with Yubikey | Log in with your CERN Account, followed by a second factor generated by a Yubikey hardware token. |
For Visiting Users
The following Authentication methods are supported:
| Method | Usage notes |
|---|---|
| eduGAIN | Only possible if you have an account at an Institute or University that participates in the global Identity Federation called eduGAIN. Your Identity Provider must release data about you (name, email and an identifier), and must comply with security policies. |
| Social Account | Log in using an account from a social provider such as LinkedIn, Google or Github. If you don't already have an account you can simply choose a provider and create one. |
| Guest Account | You can create an account using an email of your choice at https://users-portal.web.cern.ch/guest-registration |
Not-supported
Certificate Authentication
The new SSO system aims to provide a modern experience, in line with up-to-date security practices and common user workflows. Certificate Authentication is slowly being phased out by Grid and other services, with the aim that users should not need to handle their own personal certificates. Consequently there is currently no plan to enable Certificate Authentication in the new SSO. Users that can authenticate using a CERN Grid certificate have other authentication options available, and therefore certificates do not provide additional access possibilities to CERN services.