The Pennsylvania State University - Administrative Information Services, a unit of Information Technology Services

Second Factor Authentication Tokens

Administrative Information Services (AIS) mandates the use of a Second Factor Authentication Token to access centralized administrative systems. These systems are IBIS, ISIS, WebADIS, ADIS, ROSCOE, TESTAIS, and various eLion functions that require faculty input.

Second Factor Authentication Tokens
Why are Second Factor Authentication Tokens used?

A Second Factor Authentication Token is part of a two-level authentication process:

  • The first level is the verification of the user ID and password.
  • The second level is the six-digit number that is generated in a pseudo-random fashion every 60 seconds for the RSA SecurID token. The VASCO token requires you to generate the number by pressing the button on the left side (see picture above).

In addition, the IP address of the machine you are using must be in the AIS IP filter for unencrypted access. Since AIS provides access to essential administrative data, using a Second Factor Authentication Token ensures the integrity of the data and the identity of the user.

In some cases, Data Stewards may require that a Second Factor Authentication Token be used for accessing their specific data elements regardless of read or update access.

When is a Second Factor Authentication Token not required?

A Second Factor Authentication Token is not required when:

  • Updating personal information within the PH Directory. Only a Penn State Access Account is needed.
  • Updating personal information within any of the Office of Human Resources (OHR) Employee Benefits screens.
  • Accessing read-only AIS systems.
What if a Second Factor Authentication Token is going to expire?
  • For the RSA SecurID token, approximately 30 days before your token expires, when you log into AIS, you will receive a message instructing you to order a new token.
  • For the VASCO token, when the remaining battery life approaches 10%, a message will appear when the tokens button is pushed. There is an estimated 2 weeks of usage for every percentage indicated, giving the user sufficient time to replace their token. Expected battery life is 5-7 years
How can a Second Factor Authentication Token be purchased?

Departments that wish to purchase new Second Factor Authentication Tokens can order them online at Penn State's eBuy Web site or directly on the Penn State Computer Store site using a purchasing card.

Faculty and staff can choose to have the tokens delivered at no charge or pick them up at the Computer Store in 12 Willard Building after being notified that the order is ready. Faculty and staff also have the option of purchasing their tokens in person at the Computer Store.

The price is $25 for each token.

What should be done about a malfunctioning Second Factor Authentication Token?

In the event that a Second Factor Authentication Token begins to malfunction with at least 6 months remaining on the expiration date (located on the back of the token), stop by the Computer Store at 12 Willard Building for a replacement, or for additional information, contact the Computer Store at 814-865-2100 or 800-251-9281 or e-mail computerstore@psu.edu. The token should not be returned through inter-office mail. Any token that has been physically damaged will not be replaced.

How should the Second Factor Authentication Token be handled if leaving or transferring?

If you are transferring within the University or leaving the University, the Second Factor Authentication Token should be returned to your ASR or to the person who issued the token to you. The token may be reassigned to another person in the same area. Because the funds used to purchase the token came from a specific department, it must remain in that area. A token may only be assigned to one person at a time.

Who handles the assignment of Second Factor Authentication Tokens?

The AIS Support Center handles the assignment of Second Factor Authentication Tokens to users. This can be done by e-mailing ais-support@psu.edu with the username, user ID, PSU ID, and the token's serial number, or call the Support Center at 814-863-2276.

How does a Second Factor Authentication Token get locked?

The Second Factor Authentication Token is a third means of confirming you are who you are. Much like a password, if the number on the token is entered incorrectly into a system, access will be denied. You are allowed to enter five consecutive incorrect numbers before the token will be locked.

  1. Verify that your "NumLock" key is on.
  2. If still locked, then try re-entering your token number using the numbers located above the letters on your keyboard. If successful:
  3. Click on the "Host Explorer" icon.
  4. Choose "EDIT", and then select "OPTIONS".

    IBIS Log-on Screen
  5. You will see the following screen. Select "TERMINAL", and then "KEYBOARD".

    Session Profile: Terminal Options
  6. You will then see the screen below. Here, make sure that there is not a check in the box labeled "Ignore NumLock State."

    Session Profile: Keyboard Options

Content Questions: AIS Support | Support Questions: AIS Support