Skip to content

Two factor authentication

Two factor authentication adds an extra layer of security on top of your password, usually requiring access to a physical personal device like your smartphone or a security key.

To log in using two-factor authentication, click on "Log in with Two-factor" in the CERN SSO page. Some applications will only allow access if you logged in using this option.


The guide below and the web portals may contain some technical words from the following list:

  • Authenticator app or Authenticator application: An application that has to be used, usually on a smartphone, for a second factor authentication step.
  • Security key: A physical hardware token that can be connected to your device to use it for a second factor authentication step.
  • Yubikey: A commercial security key from Yubico that you can request at CERN.
  • WebAuthn: A web standard for authentication compatible with many security keys, including the Yubikey.
  • One-time password (OTP): Any authentication mechanism where the user has to use a temporary password only once, usually as a second factor authentication step by using an Authenticator Application.

Some of the portals may use "OTP" to refer to the Authenticator Application method and "WebAuthn" or "Yubikey" for Security Key. These terms will usually have the same meaning when configuring your CERN account.

Setting up a 2nd factor authentication method

Getting a Yubikey

A Yubikey can be obtained from the IT secretariat. If you are not from the IT department, you will have to request the Yubikey from IT using the Inter Departmental Transfer form on EDH:

Using a private Security Key

It is possible to use your private Security Key with the SSO as long as it supports WebAuthn.

However, using your private Security Key for SSH requires custom-configuration and then sending the secrets to the security team.

Help! I've lost my phone/security key

If you have a second two-factor method already set up, you can use it to authenticate to the Users Portal and follow the reset procedure described in KB0006587.

If you do not have a second two-factor method already, please raise a ticket to the Service Desk who will perform the reset after a successful ID check.