This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 78%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYA%3C/text%3E%3C/svg%3E)
I am developing a business application that manages the company's certificates for security purposes. However, I was asked to add an extra layer of security due to some internal issues. To address this, it was requested that, before the certificate is consumed by the web browser, an OTP (One-Time Password) is required to ensure that the user accessing it is authorized.
I am confident about the OTP implementation part, but despite thorough research, I couldn't find any resource that allows me to intercept this process. Is it truly not possible, or is there something that can assist me in achieving this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 85%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi @Yuri Augusto Da Costa , Welcome to Microsoft Q&A,
There are two relatively direct methods.
One is to use Windows API Hook to intercept the CertOpenStore call of the certificate store, and prevent the certificate from being read before the user passes the OTP verification. This requires the use of API Hook technology, which may have compatibility issues. It directly intercepts certificate access and can forcibly block requests that are not OTP authenticated. It can be applied to all applications that use certificates.
One is to only intercept the C# application developed by yourself, and you can manually verify the OTP when loading the certificate, and then decide whether to use the certificate.
Best Regards,
Jiale
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.