OTP Toolkit Home

All Users:
Token Maintenance

Test my OTP token Change your OTP PIN Set your forgotten OTP PIN Unlock your soft-/hard-locked OTP token Change my 5 questions/answers

LC Users Only

Get password

General Info

Frequently Asked Questions

RSA Token Frequently Asked Questions (FAQs)



Q. What is two-factor user authentication?
A. Two-factor authentication uses something you have and something you know. A common example of two-factor authentication is an ATM transaction. The ATM card is something you have, and your PIN is something you know.

Q. What is a static password?
A. A static password is a password that does not change, or is rarely altered. Static passwords provide weak authentication.

Q. What are OTP RSA SecurID tokens?
A. An RSA SecurID token is a hardware device, similar to a pocket watch. It can fit on a key ring or your badge holder. It is lightweight, water resistant, and tamperproof. It has a lifetime of 4 years.
The token generates a new 6-digit number (tokencode) every 30 seconds. This tokencode, along with your PIN, implements a two-factor, one-time, 'passcode' to use when you access the systems.

Q. What is a tokencode? A passcode?
A. A tokencode is the six digit number displayed on the front of your RSA SecurID token. The tokencode for most of the tokens at LLNL changes every 30 seconds. There is an indicator (a stack of six ticks on the left side of the display) which illustrates how much time is left before the tokencode changes. Once you use a tokencode, it becomes invalid. In addition, an unused tokencode "expires" shortly after the display changes.

A passcode is your PIN combined with tokencode. For example: If you have set your PIN to be a3baa3ba and the tokencode displayed on your token is 794573, then your passcode is a3baa3ba794573.

Q. What are the Personal Identification Number (PIN) requirements?
A.Your PIN must:

  • Be 8 characters in length
  • Contain only valid characters:
    • Numbers 0 through 9
    • Letters 'a' through 'z'
  • Be alpha-numeric (ie contain both letters and numbers)
  • NOT contain obvious patterns such as '1111', '2345', 'abcde', etc.
Note: Letters are case insensitive - for example 'ABCD1234', 'abcd1234' and 'AbcD1234' are all equivalent PINs.

Q. What do OTP tokens look like?
A. Below is an image of the most common type of RSA Securid token.
Grey token

Q. When will I have to use the OTP RSA Secure token?
A. An OTP token will be issued to you if you are using a service that requires OTP authentication. You will have ample time to test and be sure that the OTP works. Deployment of OTP tokens has been completed for the LC community and users of Remote Access Services. Other services will follow.

Q. Where can I use my OTP RSA SecurID token?
A. Your token gives you access to the following:
  • All LC systems that previously required a DCE password
  • Remote Access Services (OTS, IPA, VPN, VPN-C, WPC, and WPS-C)
  • Some institutional services
  • Some desktop systems
Q. Will I need to request an OTP RSA SecurID token?
A. No. A token will be issued to you if you are granted access to a service that requires OTP authentication. You will have ample time to test and be sure that the OTP works.

A. Each time you login, you will be prompted for a user name and a password (or passcode). When you use your OTP token to authenticate, your password/passcode is your <PIN><tokencode> (without angle brackets.) The tokencode is the number currently displayed by the OTP token. The passcode must be a single string without spaces. For example: If you have set your PIN to be a3baa3ba and the tokencode displayed on your token is 794573, then your passcode is a3baa3ba794573.

Q. What is the difference between the OTP PIN and a PAC?
A. Your PAC is a complete, static password that can be used for most institutional services. Your OTP PIN is a 8 character alpha-numeric string that must be used with the 'tokencode' produced by your OTP RSA SecurID token

Q. What will I have to do when the OTP RSA SecurID System is implemented?
A. Currently, you are required to know your login name and a password for logins into different systems. These passwords will be replaced by an 8 character PIN, and an OTP token. This token is similar to a secure card (like the CryptoCard), but it is much smaller and more durable. It displays a 6-digit number that changes every 30 seconds. You will use the combination of the PIN plus the 6-digit number instead of the password you are currently using.

Q. What steps should be taken if my token has been stolen or lost?
A. If your token(s) have been lost or stolen, contact OTP Support at 925-422-4090 as soon as you are aware of the loss. The lost or stolen token is put in a disabled state, so it no longer poses a security risk. If necessary, your account can be placed in Emergency Access mode so you can authenticate while a replacement token is shipped to you

Q. I have forgotten my PIN, what are the steps to reset it?
A. You may be able to reset your own PIN. Visit the OTP Set Pin page, fill out and submit the form. If you cannot set your PIN using the web pages, contact OTP Support at 925-422-4090 and request a temporary PIN.

Q. It seems as if my token has stopped working. What should I do?
A. You may visit the Test My OTP Token page to test your token or the OTP Token Diagnostics page to attempt to clear the problem. If you are unsuccessful, contact OTP Support at 925-422-4090.

Q. I left my token at home/work/etc. How do I log in?
A. Contact OTP Support at 925-422-4090. They will be able to give you temporary, alternate access.

Q. My dog ate my token. How do I log in?
A. Contact OTP Support at 925-422-4090. They will be able to give you temporary, alternate access while a replacement token is being sent to you.

Q. How do I return a token I no longer need? Is there any special package requirements or rules when shipping back a token?
A. For on-site users, return the token via Lab mail to 4-HELP, L-279. For offsite users, send the token through regular US Mail to 4-HELP, L-279, PO Box 808, Livermore, CA 94550. If the token has expired or is broken and you are returning it for disposal, no special packaging is needed. If the token still works, please wrap it in the equivalent of a couple of sheets of (clean!) facial tissue.

Q. In general, where can I obtain further information regarding tokens?
A. You can see how the token works by taking a product tour at http://www.rsasecurity.com/
In addition, if you have any questions, you can contact OTP Support at 925-422-4090.

Q. I got a token lock notification, but my token seems to be working. Why?
A. The token lock reporting mechanism lags behind the actual lock. It is possible that you have already corrected the problem before you get the message. Some clients will prompt for a second tokencode and automatically clear your account when you enter it.

Q. How does my token get out-of-sync with the server?
A. Each token has its own clock that can drift out of sync with the servers clock. The server detects and automatically corrects for a small amount of drift, but a token that is unused for a period of time (weeks to months) could drift too far for automatic compensation. It is possible to enter a tokencode 'late' -- if the tokencode is still valid, the server may assume that the token clock has drifted and apply an erroneous compensation that affects the next authentication.

For information about this service contact:
OTP Support (925) 422-4090

Last Updated October 30, 2013 by the OTP Development Team