Second Factor Authentication Tokens
Administrative Information Services (AIS) mandates the use of a Second Factor Authentication Token to gain access to centralized administrative systems. These systems are any mainframe access, which include IBIS, ISIS, ROSCOE, TESTAIS and web services eISIS, eCOMMERCE Control Center users, CIDR, eLION Faculty, and eLION Adviser.
- Why are Second Factor Authentication Tokens used?
A Second Factor Authentication Token is part of a two-level authentication process:
- The first level is the verification of the user ID and password.
- The second level is the six-digit number that is generated in a pseudo-random fashion every 60 seconds for the RSA SecurID token. The VASCO token requires you to generate the number by pressing the button on the left side (see picture above).
In addition, the IP address of the machine you are using must be in the AIS IP filter for unencrypted access. Since AIS provides access to essential administrative data, using a Second Factor Authentication Token ensures the integrity of the data and the identity of the user.
In some cases, Data Stewards may require that a Second Factor Authentication Token be used for accessing their specific data elements regardless of read or update access.
- When is a Second Factor Authentication Token not required?
A Second Factor Authentication Token is not required when:
- Updating personal information within the PH Directory. Only a Penn State Access Account is needed.
- Updating personal information within the Office of Human Resources (OHR) Employee Benefits system (ESSIC).
- Accessing read-only AIS systems, which includes reporting and recording services such as Data Warehouse, eDDs, EIS, ITWO, and Document Imaging.
- What if a Second Factor Authentication Token is going to expire?
- For the RSA SecurID token, approximately 30 days before your token expires, when you log into AIS, you will receive a message instructing you to order a new token.
- How can a Second Factor Authentication Token be purchased?
Departments that wish to purchase new Second Factor Authentication Tokens can order them online through Penn's State Computer Store, either via Penn State's eBuy Web site or directly on the site using a purchasing card. Tokens will be delivered at no charge.
The price is $25 for each token.
- What should be done about a malfunctioning Second Factor Authentication Token?
In the event that a Second Factor Authentication Token begins to malfunction:
- Purchased less than 1 year ago - Token is malfunctioning. Fill out an RMA form to request a return.
- Purchased 1 or more years ago - The token has expired and needs to be replaced. Please place a new order with Information Technology Services.
- How should the Second Factor Authentication Token be handled if leaving or transferring?
If you are transferring within the University or leaving the University, then the Second Factor Authentication Token should be returned to your ASR or to the person who issued the token to you. The token may be reassigned to another person in the same area. Because the funds used to purchase the token came from a specific department, it must remain in that area. A token may only be assigned to one person at a time.
- Who handles the assignment of Second Factor Authentication Tokens?
The AIS Support Center handles the assignment of Second Factor Authentication Tokens to users. This can be done by e-mailing email@example.com with the username, user ID, PSU ID, and the token's serial number, or call the Support Center at 814-863-2276.
- How does a Second Factor Authentication Token get locked?
The Second Factor Authentication Token is a third means of confirming you are who you are. Much like a password, if the number on the token is entered incorrectly into a system, access will be denied. You are allowed to enter five consecutive incorrect numbers before the token will be locked.
- Verify that your "NumLock" key is on.
- If still locked, then try re-entering your token number using the numbers located above the letters on your keyboard.
- How do I recycle my old token?
Send expired tokens to 147 USB1.