All persons who are allowed to operate SSH Tectia Certifier must have an operator account created for them. Operators are identified with a short login name and a password (if TLS client authentication is not used). However, in most situations the most crucial identification method is the operator's TLS certificate.
This certificate can be stored on the operator's personal workstation, or on a cryptographic token such as a smart card.
If software storage is used, the security and the integrity of the used operating system is very important. Normally browsers can be configured to protect the private keys with a password when the private key is generated during web enrollment. Using this security feature is highly recommended.
Note also that if the certificates used for TLS client authentication are stored in the workstation, an operator can login only from the specific workstation that stores the key.
The aforementioned problems can be avoided by creating the keys on a smart card.