The following covers how to use an authenticator app to enable Two-Factor Authentication (2FA) as a second verification step for login and for starting the Root CA.

Profile Settings

The Profile page allows for adding Two-Factor Authentication (2FA) to the PrimeKey SaaS portal. Optionally, 2FA can also be enabled for Root CA startup and shutdown.

Access the Profile page via the profile icon in the top right corner of the SaaS portal Dashboard, then select Profile. For more information about the Dashboard, see Navigating the SaaS Portal.

It is recommended to not use Google Authenticator as Google Authenticator does not back up your enrolled tokens. If you lose, damage, factory reset, or replace your phone your codes will be lost. Please use one of the other alternative authenticators that do backup enrolled codes, such as LastPass Authenticator or Microsoft Authenticator. Google Authenticator is a supported enrollment application, but not recommended due to its lack of backup functionality.

Enrolling in 2FA

To set up 2FA:

  1. Click the profile icon in the top right corner of the SaaS portal Dashboard and select Profile to access the Profile page.

  2. Expand the Password and Security accordion to expose the 2FA properties and click Set up.
  3. Confirm your portal login password to begin setting up 2FA, and then click Next.
  4. Specify a label for the phone to be enrolled so it can be easily identified, and then click Next.

  5. Scan the QR code that appears with your mobile authenticator application, and then click Next.
  6. Enter the 6-digit code in the confirmation box, and click Verify.

  7. Two-Factor authentication is now set up for your account. Click Done on the confirmation dialog that appears.
  8. Additional options are shown on the Profile page providing the details of the device enrolled and an email is sent to the email address of the logged-in user, notifying of a 2FA device being enrolled.

Your SaaS portal account is now protected with 2FA and when you sign in, you are required to provide a token to verify your identity.

2FA on Root CA Startup

By default, 2FA on Root CA startup is enforced. To disable 2FA for starting the Root CA, toggle the Enforce for Root CA Start switch under the Options section of the Profile page.

Changing the Device Enrolled

To change the device enrolled:

  1. Click Change Phone on the PrimeKey SaaS portal Profile page.
  2. Confirm your portal login password to begin setting up 2FA, and then click Next.
  3. Confirm you have access to modify the token by providing a token from your mobile authenticator, and then click Verify.
  4. Enter a label for the new phone to be enrolled, and then click Next.
  5. Scan the QR code that appears, and click Next.
  6. Enter the code from your Mobile Authenticator app to confirm access to the existing token, and then click Verify.
  7. Click Done on the confirmation dialog that appears.
  8. An email will be sent to the email address of the logged-in user, notifying of a 2FA device being enrolled.

Deleting an Enrolled Device (Disable 2FA)

To delete an enrolled device and disable 2FA:

  1. From the SaaS portal Profile page, click the trash can icon next to the enrolled device.


  2. Confirm your portal password and click Next.
  3. Enter a token from your Mobile Authenticator App to confirm access to the existing token, and then click Verify.
  4. The token will be removed and an email will be sent to the email address logged into the PrimeKey SaaS portal of the configuration change.

Next - Configure EJBCA in EJBCA SaaS

Next, continue to Configure EJBCA SaaS in AWS.