Two-factor authentication requires a current, valid certificate or the feature is disabled. Symantec Mobility handles the certificate renewal for SaaS customers. For on-premises tenants, before the current certificate expires you must request Symantec Mobility to set up two-factor authentication for you again using a new certificate. You can view and manage authentication certificates on the Settings > Certificates > Authentication certificates page.
You are notified by email when your certificate is about to expire. But setting up two-factor authentication can take several days. So as a best practice, you should enable the Certificate Expiration notification email setting to remind you in sufficient time to re-register.
On the Mobility Manager left pane, click Settings > Authentication and roles > Admin authentication.
On the right pane under Two-factor authentication, click Request setup again.
Click Browse and browse to and select the certificate.
You must upload a valid certificate, and it must be valid for at least 30 days after the date you submit it. The file must be in .p12 file format. If your certificate is invalid, Symantec Mobility denies your request to set up two-factor authentication. You must re-request setup and upload a new, valid certificate.
You can use a certificate issued by a certificate authority (CA) or a self-signed certificate issued from your server.
Optionally, type a pass phrase for the certificate and click Save.
Your request is automatically sent to Symantec Mobility. In 3 - 5 days, an email notification that contains a verification key is sent to the primary administrator and to the administrator who requested the two-factor authentication setup. This email indicates if your setup request was approved or rejected.
Enter verification key, validate, and enable two-factor authentication
When you receive the email notification from Symantec Mobility, on the Mobility Manager left pane, click Settings > Authentication and roles > Admin authentication.
Type the verification key and click Validate.
If your verification key is rejected or if you get a success message but the certificate that you uploaded expired before you validate the verification key, repeat the process beginning with step 2 in Renew two-factor authentication above. If your verification key is successful, proceed with the next step.
If you have previously set up two-factor authentication and you receive notification from Symantec Mobility that the new certificate is invalid, you can revert back to a previous certificate that has not yet expired. That way your organization can continue to use two-factor authentication until you can successfully complete the re-setup process.
On the right pane under Two-factor authentication, click Off to enable the feature.
When you click Off, On appears. This indicates the feature is enabled.