certificate based user authentication Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Av ShchAv Shch 

certificate based user authentication

Does Okta support a cert based user authentication as a second factor?
This is needed for application based services accounts authentication into G-Suite.
Simply username/password is not secure enough to authenticate API calls from Okta to G-Suite.
Silviu MuraruSilviu Muraru (Okta, Inc.)
Hi, Alex!

I am going to speak in terms of authentication and authorization here.

Authentication is how apps identify who users are. Typically, that means username (who) and password (verification).
Authorization is how apps decide what a user is allowed to do. For Okta, a common use of authorization is to decide which applications a user has access to and which apps he does not.

Besides username and password, as a Multifactor Authentication, Okta uses:

- Okta Verify (by Push Notification or TouchId)
- Google Authenticator
- SMS Authentication
- Symantec VIP
- On-Prem MFA (by RSA SecurIP or Custom)
- Duo Security
- Yubikey
- Security Question

So that is about MFA. Now regarding API Calls and information send over from Okta (outbound) or even inbound, we mainly use SWA (Secure Web Authentication) and SAML 2.0 and here's where I would like to draw your attention to. By using SAML 2.0 your users can be provisioned into a specific App. without even having passwords. SAML is using certificates for establishing trust between companies and this is one of the most secure ways of configuring an App. Let me provide to you some documentation as well:


To sum it up, Okta supports certificate establishments, but it is not considered as being a second factor authentication, as you mentioned, but it has more to do with the authorization of a user into an app. Also, it depends which apps. accept SAML 2.0 infrastructure, but G Suite does for sure.

Hopefully you got your answers here!
Wish you all the best in your work, Alex!

Thank you,

Silviu Muraru
Technical Support Engineer | Okta
Sandy AggarwalSandy Aggarwal
Hi - I get the MFA piece here but if I need to authenticate my incoming user request to Okta against a cert that the incoming request must present to Okta, where do I upload that cert in Okta?