Multifactor authentication (MFA) - Frequently asked questions 

Sections

• General MFA questions
• RSA tokens
• YubiKeys
• Laptop and desktop login and MFA
• Email and MFA

General questions about multifactor authentication (MFA)

Q: What is multifactor authentication (MFA)?

A:  Multifactor authentication (MFA) is a way to prove who you are by using more than one method to authenticate (or log in) to a system.

      There are 3 “factors” you can use to prove who you are:

• Something you know (e.g., a password)
• Something you have (e.g., a smart card or token)
• Something you are (e.g., fingerprints or retinal scan)

Multifactor authentication requires you to use at least two of these three factors.

Q: Why are we required to use MFA when accessing certain systems?

A: Using MFA can significantly reduce the risk of a cybersecurity incident due to weak or stolen user credentials.  Cyber criminals do more than steal data; they often look to destroy it or take it for ransom, make changes to it or use servers to transmit propaganda, spam or malicious code.

Q: Which applications or lab systems require MFA?

A: MFA is required when accessing the lab’s email, VPN, and business and financial systems (e.g., eBS, Sunflower, CNAS, and PeopleSoft etc.).  

The Information Technology Division is implementing MFA controls that require users to use a YubiKey to log in to their Fermilab-owned laptops/desktops. This MFA requirement is being rolled out to organizations in batches. You will receive an email notification with detailed instructions prior to your rollout date.

As threats evolve, additional systems and applications may be required to use MFA.

Q: What types of devices or tools does Fermilab currently use for MFA?

A: Fermilab uses primarily RSA tokens (hardware devices or a software app you can use on your phone) or YubiKeys. YubiKeys are required for those who access the lab’s business and financial systems and can be used to log in to a Fermilab-owned laptop/desktop. Either a YubiKey or RSA token can be used for accessing VPN or email. An RSA token can be used to access certain websites.

Q: Do you plan to replace RSA tokens with YubiKeys?
A: No, we currently have no plan to replace RSA tokens with YubiKeys. If you have an RSA token, you can continue to use it as before. A YubiKey can be used to log in to your Fermilab-owned desktop/laptop, the lab’s financial/business systems, email and VPN, whereas an RSA token can be used to log in to email, VPN and certain websites.

Q: Can I have two devices, one for work and one for home so I don’t have to carry them back and forth?

A: Different lab applications require different types of MFA tokens. For instance, you may need an RSA token or a YubiKey to read email, but since you also access a lab business/financial system such as eBS, Peoplesoft, Sunflower, CNAS, etc., you will need a YubiKey. However, we strongly discourage a user from having multiple tokens of the same type. (Part of the point of MFA is that the token is not left unattended, either at home or in an office.) 

RSA tokens

Q: What is an RSA token?

A: An RSA token is a device (either a small hardware device or an app you can install on your mobile device) used for MFA.  The token generates a 6-digit number, which forms a passcode when entered along with a static PIN.  The hardware token is a battery-powered device that displays a unique number every 60 seconds.  A software token performs the same function, but can be installed on a mobile device such as a smart phone.

Q: How do I get an RSA token?

A:

1. On the Service Desk website, log in with your Services account.
2. In the search box type “rsa”
3. Click on the link, “RSA Token Request”
4. There are options in the form for hardware/software token. For users who are offsite, we will email your software token to you. If you request a hard token, you will be given the opportunity to provide a postal address.

Q: I want a soft token, but it says it is only available for phones, and I use a laptop. Do I have to get a hard token?

A: The soft token must be installed on your phone (there’s no app for a Windows laptop, for instance). If you have an iOS or Android phone, you can use a soft token to generate a one-time code that you use, along with a PIN, to form a passcode that you input into the application on your laptop. If you do not want to generate the passcode from your phone, you will need a hard token.

Q: What operating systems does the RSA soft token app run on?

A: The RSA SecurID Software Token app requires Android 6.0 or later, iOS or iPadOS. If you have an old device and cannot install the RSA SecurID Software Token app, you can request for an RSA hard token. 

Q: How do I set up the PIN number for my RSA Token? 
A: Instructions on how to set up your PIN can be found in this article

Q: I encountered authentication problems with my RSA Token. What should I do? 

A: If you encounter authentication problems, it may be due to the fact that the token code displayed on your RSA token does not match the token code generated by the Authentication Manager. If that is the case, you can resynchronize the tokens by following the instructions in this article. If this does not resolve your problem, please submit a Service Desk ticket.

Q: I no longer need my hardware RSA Token. What should I do with it?
A: Please return your hardware token to the Service Desk.

YubiKeys

Q: What is a YubiKey?

A: A YubiKey is a small hardware device that plugs into a USB port of your computer. It requires that you enter a PIN to prove your identity.

Q: Can I use a YubiKey to access my Fermilab email account when I am away from the lab?

A: Yes, either a YubiKey or an RSA token can be used to access email. 

Q: How do I get a YubiKey?

A: Please follow the instructions in this article: https://fermi.servicenowservices.com/kb_view.do?sysparm_article=KB0015036

Q: On which operating systems can my YubiKey run?

A: Fermilab will primarily support YubiKey devices on Windows and Mac systems, which are the officially supported desktop operating systems.  Most popular versions of Linux, such as Red Hat, CentOS, and Ubuntu should also work with YubiKeys.  However, some older third-party tools used in conjunction with smart cards may need to be uninstalled, or in some scenarios, a fresh install of the operating system might be required to clean up any traces of those tools.

Q: How do I install my YubiKey?

A: On a computer with a supported operating system, insert your YubiKey into a free USB port. On modern Windows or Mac computers, the YubiKey can just be plugged into a USB port so that the gold contacts on the YubiKey are touching the contacts inside your USB port.  (For most computers, this will be so the gold contacts and button are facing up.) Your PC may start loading drivers for your YubiKey, so please wait at least 5-10 seconds while this process is complete.  Once you plug in the YubiKey, the LED on the device will blink a number of times.  The YubiKey should then be ready for use.

Q: How can I test my YubiKey?

A: From a web browser, open this URL

Select a certificate (The “Subject” should be your username and the “Issuer” should be “FERMI Sub CA 01”), then enter your PIN when prompted.  If successful, a short list of values will be returned.  This should include your name, dates the certificate is valid, serial number and issuer.

Q: Will my YubiKey break easily from being carried around?

A: YubiKeys are designed to be carried on a keychain and are fairly robust. We do not expect reasonable use to cause them to break.

Q: I am being asked to identify a keyboard on my Mac device–What do I do?

A: You can safely disregard this message (click here to see an example of the message). Click on the “X” in the upper right of the pop-up window. (You can read more about why this happens on the YubiKey vendor website)

Q: I no longer need my YubiKey. What should I do with it?

A: Please return your YubiKey to the Service Desk.

Laptop and desktop login and MFA

Q: How do I log in to a Fermilab-owned laptop or desktop with a YubiKey?

A: For instructions for Windows users, see this article:

https://fermi.servicenowservices.com/kb_view.do?sysparm_article=KB0014702

For instructions for Mac users, see this article:

https://fermi.servicenowservices.com/kb_view.do?sysparm_article=KB0015041

Q: Can I log in to a Fermilab-owned laptop or desktop with an RSA token?

A: No, you cannot log in to a Fermilab-owned laptop or desktop with an RSA token.

Q: How do I get a YubiKey?

A: Please follow the instructions in this article: https://fermi.servicenowservices.com/kb_view.do?sysparm_article=KB0015036

Email and MFA

Q: Do I have to use MFA to read my email?

A: Yes. You are required to use MFA to access your Fermilab email account. 

Q: Do I have to log in with MFA every time I want to read my email?

A: Every 30 days, providing nothing has manipulated your account like a password change, you will need to log in using MFA. (There is an inactivity timer that is triggered if you do not check email from within 14 days; for example, if you close your laptop and go on vacation for two weeks, you will have to log in when you get back.) Testing has shown that within your email session, you can move between various locations (e.g., from FNAL, to home, to Starbucks, etc.,) without needing to re-login.

Q: How do I get an RSA token?

A:

1. On the Service Desk website, log in with your Services account.
2. In the search box type “rsa”
3. Click on the link, “RSA Token Request”
4. There are options in the form for hardware/software token. For users who are offsite, we will email your software token to you. If you request a hard token, you will be given the opportunity to provide a postal address.

Q: What email protocols am I allowed to use if I read email offsite? Is IMAP allowed?

A: You must use the Exchange protocol to access your email. Many phones and tablets use the Exchange protocol by default. Here are instructions on configuring your device to use Exchange: Android, iOS, 
Windows, or Mac OS

A workaround for IMAP users is to use Webmail/Outlook Web Application (OWA), since OWA supports Exchange authentication and will work with MFA.  

Q: How is Webmail/Outlook Web Application (OWA) impacted by MFA?

A: You will be required to use MFA when you log into Webmail/OWA. For detailed instructions, read this article.

Q: I have an older mobile device so I can’t install the RSA soft token app. What do I do?

A: The RSA SecurID Software Token app requires Android 6.0 or later, iOS or iPadOS. If you have an old device and cannot install the RSA SecurID Software Token app, you can request for an RSA hard token.

Q: What if I don’t want to install software on my phone or tablet? Does that mean I can’t read email on my device?

A: You are not required to use an RSA soft token. If you wish to read your Fermilab email on your phone or tablet, and you do not want to install the RSA software on your phone or tablet, you can request an RSA hard token.