MFA public FAQ


General questions about multifactor authentication (MFA)

Q: What is multifactor authentication (MFA)?

A: Multifactor authentication (MFA) is a way to prove who you are using more than one method to authenticate (or log in) to a system.

There are 3 “factors” you can use to prove who you are:

  • Something you know (e.g., a password)
  • Something you have (e.g., a smart card or token)
  • Something you are (e.g., fingerprints or retinal scan)

Multifactor authentication requires you to use at least two of these three factors.

Q: Why are we required to use MFA when accessing certain systems?

A: Using MFA can significantly reduce the risk of a cybersecurity incident due to weak or stolen user credentials. Cyber criminals do more than steal data; they often look to destroy it or take it for ransom, make changes to it or use servers to transmit propaganda, spam or malicious code.

Q: Which applications or lab systems require MFA?

A: MFA is required when accessing the lab’s VPN system as well as systems that contain sensitive information such as the lab’s business and financial systems such as eBS, Sunflower, CNAS, PeopleSoft, Project/Receiving/Budget Wizard, Oracle WebADI, GIBS (Retiree Billing) or the file server FINSRV44.

Beginning Apr. 30, 2020,all email users who are off-site and who do not use VPN to access their email will be required to use MFA. These users will need an RSA token.

As threats evolve, additional systems and applications may be required to use MFA.

Q: What types of devices or tools does Fermilab currently use for MFA?

A: As of May 2019, Fermilab uses primarily RSA tokens (hardware devices or a software app you can use on your phone) or YubiKeys. YubiKeys are required for those who access the lab’s business and financial systems. Either a YubiKey or RSA token can be used for accessing VPN. An RSA token will soon be required to read email if you are offsite and not using VPN.

Beginning Apr. 30, 2020,all email users who are off-site and who do not use VPN to access their email will be required to use MFA. These users will need an RSA token.

Q: Can I have two devices, one for work and one for home so I don’t have to carry them back and forth?

A: Different lab applications require different types of MFA tokens. For instance, you may need an RSA token to read email while offsite, but since you also access a lab business/finacial system such as eBS, Peoplesoft, Sunflower, CNAS, etc., you will also need a YubiKey. However, we strongly discourage a user from having multiple tokens of the same type. (Part of the point of MFA is that the token is not left unattended, either at home or in an office.)

RSA tokens

Q: What is an RSA token?

A: An RSA token is a device (either a small hardware device or an app you can install on your mobile device) used for MFA. The token generates a 6-digit number, which forms a passcode when entered along with a static PIN. The hardware token is a battery-powered device that displays a unique number every 60 seconds. A software token performs the same function, but can be installed on a mobile device such as a smart phone.

Q: How do I get an RSA token?

A: Contact the Service Desk.

Q: I want a soft token, but it says it is only available for phones, and I use a laptop. Do I have to get a hard token?

A: The soft token has to be installed on your phone (there’s no app for a Windows laptop, for instance). If you have an iOS or Android phone, you can use a soft token to generate a one-time code that you use, along with a PIN, to form a passcode that you input into the application on your laptop. If you do not want to generate the passcode from your phone, you will need a hard token.

Q: What operating systems does the RSA soft token run on?

A: The RSA SecureID software token requires Android 6.0 or later, iOS 13 or later and iPadOS. If you have an older device and cannot upgrade, you can use an RSA hard token.

Q: How do I set up the PIN number for my RSA Token?
A: Instructions on how to set up your PIN number can be found in this article

Q: I encountered authentication problems with my RSA Token. What should I do?

A: If you encounter authentication problems, it may be due to the fact that the token code displayed on your RSA token does not match the token code generated by the Authentication Manager. If that is the case, you can resynchronize the tokens by following the instructions in this article. If this does not resolve your problem, please submit a Service Desk ticket.

Q: I no longer need my hardware RSA Token. What should
I do with it?

A: Please return your hardware token to the Service Desk.


Q: What is a YubiKey?

A: A YubiKey is a small hardware device that plugs into your computer. It requires that you enter a PIN, in addition to your password, to prove your identity.

Q: Which lab applications require a YubiKey?

A: Many of the business and financial web applications will require a YubiKey when accessing them through Citrix. These applications include eBS, Sunflower, CNAS, PeopleSoft, Project/Receiving/Budget Wizard, Oracle WebADI, GIBS (Retiree Billing) and the file server, FINSRV44. In addition, individuals who access personally identifiable information (PII) in FermiWorks need to use a YubiKey. Users who have been issued a YubiKey for Citrix can use either a YubiKey or an RSA token when accessing the VPN system.

Beginning Apr. 30, 2020, all email users who are off-site and who do not use VPN to access their email will be required to use MFA. Most users will use RSA tokens to access email; a few may use their YubiKey (see below for further detail).

Q: Can I use a YubiKey to access my Fermilab email account when I am away from the lab?

A: The only way you can use a YubiKey to access email with only your Services account username and password is to establish a VPN connection.

If you never access your Fermilab email account while away from the lab, or if you only access email on the same device on which you use VPN and your YubiKey, you can access your email as usual. However, if, when offsite, you use VPN on your laptop but read email on another device, such as your mobile phone or tablet, you must obtain an RSA token to continue to read email on that device as of Apr. 30, 2020.

Q: How do I get a YubiKey?

A: Visit the Service Desk on the Wilson Hall Ground Floor. You will be required to show your Fermilab ID in order to be issued a YubiKey. (YubiKeys are restricted to Fermilab employees)

Q: On which operating systems can my YubiKey run?

A: Fermilab will primarily support YubiKey devices on Windows and Mac systems, which are the officially supported desktop operating systems. Most popular versions of Linux, such as Red Hat, CentOS, and Ubuntu should also work with YubiKeys. However, some older third-party tools used in conjunction with smart cards may need to be uninstalled, or in some scenarios, a fresh install of the operating system might be required to clean up any traces of those tools.

Q: How do I install my YubiKey?

A: On a computer with a supported operating system, insert your YubiKey into a free USB port. On modern Windows or Mac computers, the YubiKey can just be plugged into a USB port so that the gold contacts on the YubiKey are touching the contacts inside your USB port. (For most computers, this will be so the gold contacts and button are facing up.) Your PC may start loading drivers for your YubiKey, so please wait at least 5-10 seconds while this process is complete. Once you plug in the YubiKey, the LED on the device will blink a number of times. The YubiKey should then be ready for use.

Q: How can I test my YubiKey?

A: From a web browser, open this URL

Select a certificate (The “Subject” should be your username and the “Issuer” should be “FERMI Sub CA 01”), then enter your PIN when prompted. If successful, a short list of values will be returned. This should include your name, dates the certificate is valid, serial number and issuer.

Q: Will my YubiKey break easily from being carried around?

A: YubiKeys are designed to be carried on a keychain and are fairly robust. We do not expect reasonable use to cause them to break.

Q: I am being asked to identify a keyboard on my Mac device–What do I do?

A: You can safely disregard this message (click here to see an example of the message). Click on the “X” in the upper right of the pop-up window. (You can read more about why this happens on the YubiKey vendor website)

Q: I no longer need my YubiKey. What should I do with it?

A: Please return your YubiKey to the Service Desk.

Email and MFA

Q: Do I have to use MFA to read my email?

A: By Apr. 30, 2020, all lab employees, users and visitors will only be required to use MFA to access your Fermilab email account if they are offsite and if they are not accessing email on a device that is using the Fermilab VPN system. If you are working at the lab, or if you are using VPN away from the lab, you will access your email as you do today by entering your Services username/password. RSA tokens (either hardware of software) will be used to access email while you are offsite and not using VPN.

Q: How do I get an RSA token?

A: Contact the Service Desk.

Q: When can I obtain my RSA token?

A: You can obtain your RSA token any time by contacting the Service Desk. We strongly recommend that you obtain it well in advance of the Apr. 30, 2020 requirement to use MFA so that you can familiarize yourself with the process and avoid disrupted access to email while offsite.

Q: What email protocols am I allowed to use if I read email offsite? Is IMAP allowed?


Microsoft will deprecate the use of IMAP soon—likely, around October 2020. Because the IMAP protocol does not work with multifactor authentication (MFA), Fermilab will be disabling the use of IMAP offsite and via VPN a few months earlier, on March 24, 2020. We will disable the use of IMAP onsite on Apr. 15.

You must use the Exchange protocol to access your email. Many phones and tablets use the Exchange protocol by default. Here are instructions on configuring your device to use Exchange: Android, iOS,
Windows, or Mac OS

A workaround for IMAP users is to use Webmail/Outlook Web Application (OWA) while offsite, since OWA supports Exchange authentication and will work with MFA.

How to install VPN on your device (not recommended unless you need to use VPN for additional applications):

On a Fermilab-managed device
On a non-Fermilab-managed device

Q: I use Thunderbird on Linux. What should I do?

A: Since Thunderbird uses IMAP, which will soon be disabled at Fermilab (and in a few months, by Microsoft as well), it won’t work for accessing your email. Some users have reported success using Evolution. This article contains information about how to configure Evolution Email for Linux (and MFA). Note: Evolution is not a Fermilab-supported email client. Otherwise, see the response to the previous question.

Q How is Webmail/Outlook Web Application (OWA) impacted by MFA?

A: If you are onsite or using VPN when you log into Webmail/OWA, you will just enter your Services username and password, just as you do today. However, if you are offsite and not using VPN and you wish to log in to Webmail/OWA, you will be prompted both to enter your Services account username and password and your passcode, which you’ll obtain from your MFA device (typically, an RSA token).

Q: I have an older mobile device so I can’t install the RSA soft token app. What do I do?

A: The RSA SecureID software token requires Android 6.0 or later, iOS 13 or later and iPadOS. If you have an older device and cannot upgrade, you can use an RSA hard token.

Q: What if I don’t want to install software on my phone or tablet? Does that mean I can’t read email on my device?

A: You are not required to use an RSA soft token. If you wish to read your Fermilab email on your phone or tablet while offsite, and you do not want to install the RSA software on your phone or tablet, you can get an RSA hard token.

Q: What do I do about automated alerts that I receive in email when offsite?

A: There are instructions on how to write an Outlook filter to forward emails with a particular sender/subject to your cell phone as a text message via email-to-text in this knowledge article.

Q: I have my Fermilab email forwarded to my Gmail account and send email from there. How will I be impacted by the requirement to use MFA for email?

A: Individuals who are forwarding email to non-Fermilab email accounts and who send, reply or forward from there by using the server will no longer be able to use this method after Apr. 15, 2020. While forwarding email to an outside email address is not currently prohibited by lab policy, you are required to send Fermilab email using an email server that Fermilab controls. After April 15, 2020, you can continue to forward email, but any sending or replying must be performed by direct login to the Fermilab Office 365 mail service, which will require MFA.


Email troubleshooting & known issues

Q: Why did I get a “page expired” error when I tried to log in?

A: The pop-up window session to log into Outlook is only valid for a limited time. Once the session expires, you may have to re-enter your username, password and PIN+passcode again to successfully log in.