RSA Token Frequently Asked Questions (FAQs)

It seems as if my token has stopped working. What should I do?
You may visit the Test My OTP Token page to test your token or the OTP Token Diagnostics page to attempt to clear the problem. If you are unsuccessful, support is available.
What does the acronym OTP stand for?
OTP stands for One-Time Password.
What is two-factor authentication?
Two-factor authentication uses something you have and something you know. A common example of two-factor authentication is an ATM transaction. The ATM card is something you have, and your PIN is something you know.
What is a static password?
A static password is a password that does not change, or is rarely altered. Static passwords provide weak authentication.
What are OTP RSA SecurID tokens?
An RSA SecurID token is a hardware device, similar to a pocket watch. It can fit on a key ring or your badge holder. It is lightweight, water resistant, and tamperproof. It has a lifetime of 4 years. The token generates a new 6-digit number (tokencode) every 30 seconds. This tokencode, along with your PIN, implements a two-factor, one-time, 'passcode' to use when you access the systems.
What's the difference between a tokencode and a passcode?

A tokencode is the six digit number displayed on the front of your RSA SecurID token. The tokencode for most of the tokens at LLNL changes every 30 seconds. There is an indicator (a stack of six ticks on the left side of the display) which illustrates how much time is left before the tokencode changes. Once you use a tokencode, it becomes invalid. In addition, an unused tokencode "expires" shortly after the display changes.

A passcode is your PIN combined with tokencode. For example: If you have set your PIN to be a3baa3ba and the tokencode displayed on your token is 794573, then your passcode is a3baa3ba794573.

What are the Personal Identification Number (PIN) requirements?
Your PIN must:
  • Be 8 characters in length
  • Contain only valid characters:
    • Numbers 0 through 9
    • Letters 'a' through 'z'
  • Be alpha-numeric (ie contain both letters and numbers)
  • NOT contain obvious patterns such as '1111', '2345', 'abcde', etc.
Note: Letters are case insensitive. PINs 'ABCD1234', 'abcd1234' and 'AbcD1234' are all equivalent.
What do OTP tokens look like?
Below is an image of the most common type of RSA Securid token.
Where can I use my OTP RSA SecurID token?
Your token gives you access to the following:
  • All LC systems that previously required a DCE password
  • Remote Access Services (VPN, VPN-BLUE, VPN-C)
  • Some institutional services
  • Some desktop systems
Do I need to request an OTP RSA SecurID token?
No. A token will be issued to you if you are granted access to a service that requires OTP authentication. You will have ample time to test and be sure that the OTP works.
How do I enter the OTP password (passcode)?
Each time you login, you will be prompted for a user name and a password (or passcode). When you use your OTP token to authenticate, your password/passcode is your <PIN><tokencode> (without angle brackets.) The tokencode is the number currently displayed by the OTP token. The passcode must be a single string without spaces. For example: If you have set your PIN to be a3baa3ba and the tokencode displayed on your token is 794573, then your passcode is a3baa3ba794573.
What will I have to do when the OTP RSA SecurID System is implemented?
Currently, you are required to know your login name and a password for logins into different systems. These passwords will be replaced by an 8 character PIN, and an OTP token. This token is similar to a secure card (like the CryptoCard), but it is much smaller and more durable. It displays a 6-digit number that changes every 30 seconds. You will use the combination of the PIN plus the 6-digit number instead of the password you are currently using.
What steps should be taken if my token has been stolen or lost?
If your token(s) have been lost or stolen, contact support as soon as you are aware of the loss. The lost or stolen token is put in a disabled state, so it no longer poses a security risk. If necessary, your account can be placed in Emergency Access mode so you can authenticate while a replacement token is shipped to you.
I have forgotten my PIN, what are the steps to reset it?
You may be able to reset your own PIN. Visit the OTP Set Pin page, fill out and submit the form. If you cannot set your PIN using the web pages, contact support and request a temporary PIN.
I left my token at home/work/etc. (My dog ate my token.) How do I log in?
Contact support. They will be able to give you temporary, alternate access while a replacement token is being sent to you.
How do I return a token I no longer need? Is there any special package requirements or rules when shipping back a token?

For on-site users, return the token via Lab mail to LivIT Service Desk, L-279. For off-site users, send the token through regular US Mail to:

LivIT Service Desk
PO Box 808
Livermore, CA 94550

If the token has expired or is broken and you are returning it for disposal, no special packaging is needed. If the token still works, please wrap it in the equivalent of a couple of sheets of (clean!) facial tissue.

In general, where can I obtain further information regarding tokens?

You can see how the token works by taking a product tour at

In addition, if you have any questions, you can contact support.

I got a token lock notification, but my token seems to be working. Why?
The token lock reporting mechanism lags behind the actual lock. It is possible that you have already corrected the problem before you get the message. Some clients will prompt for a second tokencode and automatically clear your account when you enter it.
How does my token get out-of-sync with the server?
Each token has its own clock that can drift out of sync with the servers clock. The server detects and automatically corrects for a small amount of drift, but a token that is unused for a period of time (weeks to months) could drift too far for automatic compensation. It is possible to enter a tokencode 'late' -- if the tokencode is still valid, the server may assume that the token clock has drifted and apply an erroneous compensation that affects the next authentication.