Multi-factor Authentication


  • What is Two Factor Authentication (2FA) and why do I need it?

    2FA is a method for providing increased security for access to computing resources. The two factors are:

    • 'Something you know', such as a PIN number.
    • 'Something you have', such as a hardware security token.
  • Who Needs a Token?
    Answer: Tokens are required for all State of Connecticut VPN users wishing to sign in with an RSA Token. This includes agency Vendors and Consultants.
  • How do I get an RSA token?
    Answer: To request Secure Remote Access, you will need to contact your agency VPN liaisons. Work with the agency Project Manager for VPN access service to the State of Connecticut Network.
  • What is RSA?
    Answer: RSA is a security vendor that provides hardware and software tokens for 2FA (two factor authentication). RSA SecureID is the method the State of Connecticut chose for implementing 2FA on servers and other computing resources that the user cannot directly access.
  • What obligations and responsibilities come with my token

    Obligations and responsibilities that come with the token include:

    • Security on any computer system is a high priority
    • Sharing your access credentials and VPN tokens with anyone is prohibited.
  • How do I get help if I have a problem using my token?
    Answer: For issues please contact your agency liaison first.
  • What do I do if I lose/misplace my token?
    Answer: If the user loses or misplaces their token they are obligated to immediately call the VPN liaison for your agency and report it as missing. The liaison will request that the token is temporarily disabled. The liaison will need to submit a new request for a replacement token.
  • What do I do if/when I find my lost token?
    Answer: Notify your VPN liaison that your token was found.
  • What do I do if I forget my PIN number?
    Answer: Contact your agency VPN liaison(s).
  • How long will the battery last on my token?
    Answer: On the back of your token is an expiration date. The token will shut off approximately on that date. The token will no longer authenticate on or past that date.
  • I have been told my token is in Next Token Mode. What does this mean?

    This can occur when your ID has failed to authenticate more than 3 times (the wrong passcode has been entered). This also occurs on random occasions even if you have previously authenticated so the system can validate the token is still in your possession.

    • When you are prompted for the Next Token code:
      • Wait for the tokencode to change on your token.
      • Enter ONLY the token code. Do not enter your PIN+tokencode.
  • I just received a new token and it is in NEW PIN MODE. What does this mean?
    Answer: You are in New PIN mode because your token is not yet associated with a PIN, which is required for two-factor authentication. All new tokens will be in this mode, even replacement tokens.
  • How to create your own PIN:

    To create your PIN:

    • Your VPN liaison will provide you a link to follow to create your PIN
    • Using your NEW token, enter only the token code. Do Not Enter Your Pin.
    • You will be prompted to create a new pin.
      • Please create an 8 character alphanumeric PIN. Do not use special characters. Do not enter more than an 8 character alphanumeric PIN.
      • Once a new PIN has been created the system will ask you to authenticate using the PIN and token code. 
      • You can then return to VPN login site.
    • If your token is about to expire and you received a new token, please turn the token into the point of contact that issued your replacement token.
  • I logged on to the VPN and it says New PIN Required. What does this mean?

    You have been asked to create a new Personal Identification Number (PIN) before you can sign in. This is likely due to your previous PIN requiring a change to meet PIN policy requirements.

    • How to create your new PIN that meets agency requirements:
      • The PIN must be EXACTLY eight characters in length
      • The PIN must be alpha-numeric (containing BOTH letters and numbers and is not case-sensitive)
      • The PIN must NOT contain any special characters
      • To continue logging in, please wait for the code on your SecurID token to change and then enter your NEW PIN followed by the SecurID token code when logging in again with your Username (and Password if required).
  • I have more than one token all but one has been disabled how might this have happened?
    Answer: When a user has more than one token, any login failure will account against all the tokens assigned to the user. A successful login will clear the failure counter against only the token being used. Over time, it is possible that the failure count on 1 or more tokens has accumulated without a corresponding successful login which will result in those tokens being disabled. It is recommended that a failure to login with one token should be followed up by logging in successfully on all other tokens you have assigned to your profile.
  • My token is not working on a server I have access to. Who should I contact?
    Answer: Contact you VPN liaison or the administrator of the system you need access to.
  • What do I do if my token is damaged or stops working?

    Contact your agency VPN liaison.

    • If the token needs replacement, a new token will be issued.
  • Are PINs alphanumeric or numeric?
    Answer: Both; PINs must be exactly eight (8) characters, alphanumerical, and must contain at least one letter. Do not use special characters.
  • What PIN length is used?
    Answer: PINs must be exactly eight (8) characters.
  • My Token only works about every 60 seconds. What is wrong?
    Answer: Token codes cannot be re-used. The Token hardware cycles those codes every 60 seconds. Once a code has been used you must wait for the display to change the tokencode in order to login elsewhere.
  • A user with a token is leaving employment what should be done with the token?
    Answer: All State of CT equipment must be turned in when leaving employment, including RSA tokens. RSA tokens should be returned to the VPN liaison or Support representative.
  • What is the process for shipping a token to a remote US citizen located within the country?
    Answer: This is handled at the issuing agency’s discretion.
  • How do you re-enable a token?
    Answer: A user with a disabled token should contact their agency VPN liaison.