RSA Token Frequently Asked Questions (FAQs)
It seems as if my token has stopped working. What should I do?
You may visit the Test My OTP Token
page to test your token or the OTP Token Diagnostics
page to attempt to clear the problem.
If you are unsuccessful, support
What does the acronym OTP stand for?
OTP stands for One-Time Password.
What is two-factor authentication?
Two-factor authentication uses something you have and
something you know. A common example of two-factor authentication is an
ATM transaction. The ATM card is something you have, and
your PIN is something you know.
What is a static password?
A static password is a password that does not change,
or is rarely altered. Static passwords provide weak authentication.
What are OTP RSA SecurID tokens?
An RSA SecurID token is a hardware device, similar
to a pocket watch. It can fit on a key ring or your badge holder. It is
lightweight, water resistant, and tamperproof. It has a lifetime of 4 years.
The token generates a new 6-digit number (tokencode) every 30 seconds.
This tokencode, along with your PIN, implements a two-factor, one-time,
'passcode' to use when you access the systems.
What's the difference between a tokencode and a passcode?
A tokencode is the six digit number
displayed on the front of your RSA SecurID token. The tokencode for most
of the tokens at LLNL changes every 30 seconds. There is an indicator
(a stack of six ticks on the left side of the display) which illustrates
how much time is left before the tokencode changes. Once you use a tokencode,
it becomes invalid. In addition, an unused tokencode "expires"
shortly after the display changes.
A passcode is your PIN combined with tokencode. For
example: If you have set your PIN to be a3baa3ba and
the tokencode displayed on your token is 794573, then
your passcode is a3baa3ba794573.
What are the Personal Identification Number (PIN) requirements?
Your PIN must:
- Be 8 characters in length
- Contain only valid characters:
- Numbers 0 through 9
- Letters 'a' through 'z'
- Be alpha-numeric (ie contain both letters and numbers)
- NOT contain obvious patterns such as '1111', '2345', 'abcde', etc.
Letters are case insensitive. PINs 'ABCD1234', 'abcd1234' and 'AbcD1234' are all equivalent.
What do OTP tokens look like?
Below is an image of the most common type of RSA Securid token.
Where can I use my OTP RSA SecurID token?
Your token gives you access to the following:
- All LC systems that previously required a DCE password
- Remote Access Services (VPN, VPN-BLUE, VPN-C)
- Some institutional services
- Some desktop systems
Do I need to request an OTP RSA SecurID token?
No. A token will be issued to you if you are granted
access to a service that requires OTP authentication. You will have ample
time to test and be sure that the OTP works.
How do I enter the OTP password (passcode)?
Each time you login, you will be prompted for a user
name and a password (or passcode). When you use your OTP token to authenticate,
your password/passcode is your <PIN><tokencode>
(without angle brackets.) The tokencode is the number currently displayed by
the OTP token. The passcode must be a single string without spaces. For
example: If you have set your PIN to be a3baa3ba and the
tokencode displayed on your token is 794573, then your
passcode is a3baa3ba794573.
What is the difference between the OTP PIN and a PAC?
Your PAC is a complete, static password that can be
used for most institutional services. Your OTP PIN is a 8 character
alpha-numeric string that must be used with the 'tokencode' produced by
your OTP RSA SecurID token.
What will I have to do when the OTP RSA SecurID System is implemented?
Currently, you are required to know your login name
and a password for logins into different systems. These passwords will be
replaced by an 8 character PIN, and an OTP token. This token is similar
to a secure card (like the CryptoCard), but it is much smaller and more
durable. It displays a 6-digit number that changes every 30 seconds.
You will use the combination of the PIN plus the 6-digit number instead
of the password you are currently using.
What steps should be taken if my token has been stolen or lost?
If your token(s) have been lost or stolen, contact
as soon as you are aware of the loss. The lost or stolen token is put in
a disabled state, so it no longer poses a security risk. If necessary,
your account can be placed in Emergency Access mode so you can authenticate
while a replacement token is shipped to you.
I have forgotten my PIN, what are the steps to reset it?
You may be able to reset your own PIN. Visit the
OTP Set Pin
page, fill out and
submit the form. If you cannot set your PIN using the web pages, contact
and request a temporary PIN.
I left my token at home/work/etc. (My dog ate my token.) How do I log in?
They will be able to give you temporary, alternate access while a
replacement token is being sent to you.
How do I return a token I no longer need? Is there any special package requirements or rules when shipping back a token?
For on-site users, return the token via Lab mail to
4-HELP, L-279. For offsite users, send the token through regular US Mail to:4-HELP
PO Box 808
Livermore, CA 94550
If the token has expired or is broken and you are returning it for
disposal, no special packaging is needed. If the token still works,
please wrap it in the equivalent of a couple of sheets of (clean!) facial tissue.
In general, where can I obtain further information regarding tokens?
You can see how the token works by taking a product
tour at http://www.rsasecurity.com/.
In addition, if you have any questions, you can contact
I got a token lock notification, but my token seems to be working. Why?
The token lock reporting mechanism lags behind the
actual lock. It is possible that you have already corrected the problem
before you get the message. Some clients will prompt for a second tokencode
and automatically clear your account when you enter it.
How does my token get out-of-sync with the server?
Each token has its own clock that can drift out of sync
with the servers clock. The server detects and automatically corrects for
a small amount of drift, but a token that is unused for a period of time
(weeks to months) could drift too far for automatic compensation. It is
possible to enter a tokencode 'late' -- if the tokencode is still valid,
the server may assume that the token clock has drifted and apply an
erroneous compensation that affects the next authentication.