Qualys offers two-factor authentication using certificate authentication as an optional security feature. Once enabled, all users in the subscription must connect to Qualys from a browser with a valid certificate – one that has been signed by a certificate provided to Qualys.
How do I get this feature?
Contact Qualys Support or your Sales representative to have certificate authentication enabled for your subscription. You'll need to provide one public signing certificate to Qualys for your subscription. Supply your signing certificate in a secure manner, such as via a secure FTP server.
A few things to consider...
1) Carefully consider the consequences of using this feature. Integrations with other security solutions should be reviewed with the appropriate third-party application vendor to determine the consequences of enabling client certificates. Without proper planning and support from integration partners, using certificates in integrations can cause third-party applications to stop functioning.
2) API users and integration partners that deploy user-supplied credentials as part of an integration will experience adverse effects in some cases. For example, when certificates are enabled for the user and an integration script or application does not pass the required certificate as part of the login process.
How it works
When certificate authentication is enabled for your subscription, the following validation checks occur each time you log in.
Note - This is completely transparent when successful.
- A certificate is present in your browser.
- The certificate in your browser is not expired.
- The email address in the certificate in your browser matches the email address in your user account. This validation check may be disabled for the subscription.*
- The issuer ID in the certificate in your browser matches the issuer ID in the public signing certificate provided to Qualys for the subscription.
You are successfully logged in to your account when validation is successful. If validation fails, you'll see the error "Invalid user credentials" and you are denied access.
* The email validation check will fail if the email address in your account changed after this feature was enabled. In this case, please ask a Manager (or Unit Manager) in your subscription to edit your account and change the email address back to the previous one.