MFA public FAQ


General questions about multifactor authentication (MFA)

Q: What is multifactor authentication (MFA)?

A: Multifactor authentication (MFA) is a way to prove who you are using more than one method to authenticate (or log in) to a system.

There are 3 “factors” you can use to prove who you are:

  • Something you know (e.g., a password)
  • Something you have (e.g., a smart card or token)
  • Something you are (e.g., fingerprints or retinal scan)

Multifactor authentication requires you to use at least two of these three factors.

Q: Why are we required to use MFA when accessing certain systems?

A: Using MFA can significantly reduce the risk of a cybersecurity incident due to weak or stolen user credentials. Cyber criminals do more than steal data; they often look to destroy it or take it for ransom, make changes to it or use servers to transmit propaganda, spam or malicious code.

Q: Which applications or lab systems require MFA?

A: MFA is required when accessing the lab’s email, VPN system as well as systems that contain sensitive information such as the lab’s business and financial systems such as eBS, Sunflower, CNAS, PeopleSoft, Project/Receiving/Budget Wizard, Oracle WebADI, GIBS (Retiree Billing) or the file server FINSRV44.

As threats evolve, additional systems and applications may be required to use MFA.

Q: What types of devices or tools does Fermilab currently use for MFA?

A: Fermilab uses primarily RSA tokens (hardware devices or a software app you can use on your phone) or YubiKeys. YubiKeys are required for those who access the lab’s business and financial systems. Either a YubiKey or RSA token can be used for accessing VPN. An RSA token is required to access email.

Q: Can I have two devices, one for work and one for home so I don’t have to carry them back and forth?

A: Different lab applications require different types of MFA tokens. For instance, you may need an RSA token to access email, but since you also access a lab business/finacial system such as eBS, Peoplesoft, Sunflower, CNAS, etc., you will also need a YubiKey. However, we strongly discourage a user from having multiple tokens of the same type. (Part of the point of MFA is that the token is not left unattended, either at home or in an office.)

RSA tokens

Q: What is an RSA token?

A: An RSA token is a device (either a small hardware device or an app you can install on your mobile device) used for MFA. The token generates a 6-digit number, which forms a passcode when entered along with a static PIN. The hardware token is a battery-powered device that displays a unique number every 60 seconds. A software token performs the same function, but can be installed on a mobile device such as a smart phone.

Q: How do I get an RSA token?

A: Contact the Service Desk.

Q: I want a soft token, but it says it is only available for phones, and I use a laptop. Do I have to get a hard token?

A: The soft token has to be installed on your phone (there’s no app for a Windows laptop, for instance). If you have an iOS or Android phone, you can use a soft token to generate a one-time code that you use, along with a PIN, to form a passcode that you input into the application on your laptop. If you do not want to generate the passcode from your phone, you will need a hard token.

Q: What operating systems does the RSA soft token run on?

A: The RSA SecureID software token requires Android 6.0 or later, iOS 13 or later and iPadOS. If you have an older device and cannot upgrade, you can use an RSA hard token.

Q: How do I set up the PIN number for my RSA Token?
A: Instructions on how to set up your PIN can be found in this article

Q: I encountered authentication problems with my RSA Token. What should I do?

A: If you encounter authentication problems, it may be due to the fact that the token code displayed on your RSA token does not match the token code generated by the Authentication Manager. If that is the case, you can resynchronize the tokens by following the instructions in this article. If this does not resolve your problem, please submit a Service Desk ticket.

Q: I no longer need my hardware RSA Token. What should
I do with it?

A: Please return your hardware token to the Service Desk.


Q: What is a YubiKey?

A: A YubiKey is a small hardware device that plugs into your computer. It requires that you enter a PIN, in addition to your password, to prove your identity.

Q: How do I get a YubiKey?

A: Visit the Service Desk on the Wilson Hall Ground Floor. You will be required to show your Fermilab ID in order to be issued a YubiKey. (YubiKeys are restricted to Fermilab employees)

Q: On which operating systems can my YubiKey run?

A: Fermilab will primarily support YubiKey devices on Windows and Mac systems, which are the officially supported desktop operating systems. Most popular versions of Linux, such as Red Hat, CentOS, and Ubuntu should also work with YubiKeys. However, some older third-party tools used in conjunction with smart cards may need to be uninstalled, or in some scenarios, a fresh install of the operating system might be required to clean up any traces of those tools.

Q: How do I install my YubiKey?

A: On a computer with a supported operating system, insert your YubiKey into a free USB port. On modern Windows or Mac computers, the YubiKey can just be plugged into a USB port so that the gold contacts on the YubiKey are touching the contacts inside your USB port. (For most computers, this will be so the gold contacts and button are facing up.) Your PC may start loading drivers for your YubiKey, so please wait at least 5-10 seconds while this process is complete. Once you plug in the YubiKey, the LED on the device will blink a number of times. The YubiKey should then be ready for use.

Q: How can I test my YubiKey?

A: From a web browser, open this URL

Select a certificate (The “Subject” should be your username and the “Issuer” should be “FERMI Sub CA 01”), then enter your PIN when prompted. If successful, a short list of values will be returned. This should include your name, dates the certificate is valid, serial number and issuer.

Q: Will my YubiKey break easily from being carried around?

A: YubiKeys are designed to be carried on a keychain and are fairly robust. We do not expect reasonable use to cause them to break.

Q: I am being asked to identify a keyboard on my Mac device–What do I do?

A: You can safely disregard this message (click here to see an example of the message). Click on the “X” in the upper right of the pop-up window. (You can read more about why this happens on the YubiKey vendor website)

Q: I no longer need my YubiKey. What should I do with it?

A: Please return your YubiKey to the Service Desk.

Q: Can I use a YubiKey to access my Fermilab email account when I am away from the lab?

A: No. An RSA token is required to access email.

Email and MFA

Q: Do I have to use MFA to read my email?

A: Yes. All lab employees, users and visitors are required to use an RSA token to access their Fermilab email account.

Q: How do I get an RSA token?

A: Contact the Service Desk.

Q: What email protocols am I allowed to use? Is IMAP allowed?

A: You must use the Exchange protocol to access your email. Many phones and tablets use the Exchange protocol by default. Here are instructions on configuring your device to use Exchange: Android, iOS,
Windows, or Mac OS

A workaround for IMAP users is to use Webmail/Outlook Web Application (OWA), since OWA supports Exchange authentication and will work with MFA.


Q: I use Thunderbird on Linux. What should I do?

A:  Some users have reported success using Evolution. This article contains information about how to configure Evolution Email for Linux (and MFA). Note: Evolution is not a Fermilab-supported email client. Otherwise, see the response to the previous question.

Q How is Webmail/Outlook Web Application (OWA) impacted by MFA?

A: You will be required to use an RSA token when you log into Webmail/OWA. First, you will be prompted to enter your Services account username and password; next, you will be prompted to enter your passcode from your RSA token.

Q: I have an older mobile device so I can’t install the RSA soft token app. What do I do?

A: The RSA SecureID software token requires Android 6.0 or later, iOS 13 or later and iPadOS. If you have an older device and cannot upgrade, you can use an RSA hard token.

Q: What if I don’t want to install the RSA software on my phone or tablet? Does that mean I can’t read email on my device?

A: You are not required to use an RSA soft token. If you wish to read your Fermilab email on your phone or tablet, and you do not want to install the RSA software on your phone or tablet, you can request for an RSA hard token.

Q: What do I do about automated alerts that I receive in email when offsite?

A: There are instructions on how to write an Outlook filter to forward emails with a particular sender/subject to your cell phone as a text message via email-to-text in this knowledge article.


Email troubleshooting & known issues

Q: Why did I get a “page expired” error when I tried to log in?

A: The pop-up window session to log into Outlook is only valid for a limited time. Once the session expires, you may have to re-enter your username, password and PIN+passcode again to successfully log in.