The gateways uses two built-in security mechanisms to control access to ECMWF:

• Interactive authentication fro SFTP/FTP: users will be prompted for their ECMWF user identifier and the PASSCODE (obtained by entering their PIN number into the security token or from their TOTP device).
• Batch authentication: users need to create an ECaccess certificate before they access ECMWF facilities. This method allows Member State users to automate authentication within scripts. The HTTP/S and SSH plugins support only the first method. The FTP plugin supports both.

The ECaccess certificate is a standard X509 digital certificate saved on the user's computer as a file. It identifies a user to the gateway. The ECaccess Certification Authority (ECCA) signs each certificate. Therefore, when a user provides his certificate to the gateway, its signature is checked using the ECCA public key for verification. A certificate can be created:

• Using the "ecaccess-certificate-create" command: this is described in Certificate management
• Using the Web interface: login to the Web server (providing an ECMWF user identifier and token PASSCODE) and in the menu click the "Get Certificate" option to download the new Certificate, see The Web server.

The ECaccess certificate is valid for 7 days for all services.