Question 1. What Is Two Factor Authentication (2fa) And Why Do I Need It?
2FA is a method for providing increased security for access to computing resources. Homeland Security Presidential Directive 12 (HSPD12) requires that federal computing resources be secured via 2FA.
The two factors are:
- ‘Something you know’, such as a PIN number.
- ‘Something you have’, such as a hardware security token or smartcard.
Question 2. Who Needs A Token?
Tokens are required for all JSC/WSTF VPN users wishing to sign in with an RSA Token. This includes people connecting to the Center using Pulse Secure.
Question 3. How Do I Get An Rsa Token?
If you are a NEW VPN user, you will need to enter a Request in the NAMS for an RSA Token, as well as request the JSC/WSTF VPN permissions to be added to your NDC domain account.
ACES will notify you by email when your token is available for pick-up from the JSC/WSTF Service Center. If not picked up within 30 days, your token will be recycled and a new request will need to be submitted to request a new RSA Token.
Question 4. What Is Rsa?
RSA is a leading security vendor that provides hardware tokens for 2FA (two factor authentication). RSA SecurID is the method NASA chose for implementing 2FA on servers and other computing resources the user does not have direct physical access to.
Question 5. What Obligations And Responsibilities Come With My Token?
Nasa Procedural Requirements (NPR 2810.1A)
JSC I/T Security Handbook (ITS-HBK 2810.15-01A)
Question 6. How Do I Get Help If I Have A Problem Using My Token?
JSC VPN users and System Administrators that have operational responsibility for a specific server with 2FA can call the Enterprise Service Desk at 281-483-4800, option 2, or create a ticket in ESD My Tickets for assistance troubleshooting tokens and the RSA server client.
ORG users with non-TFTI issued tokens should call their normal System Administrator. They will help you get access to the server.
Question 7. What Do I Do If I Lose/misplace My Token?
If the user loses or misplaces their token they are obligated to immediately call the Enterprise Service Desk at 1-877-677-2123 and report it as missing. ACES will temporarily disable the token. The user will need to submit a new request for a replacement token being sure to include the ESD Ticket number in the request. See “How to Request a Replacement RSA Token.”
Question 8. What Do I Do If When I Find My Lost Token?
Please return it to the JSC RSA representative, Bldg 8 or WSTF Service Center.
Question 9. What Do I Do If I Forget My Pin Number?
Contact the Enterprise Service Desk at 1-877-677-2123, opt 2, or create a ticket in ESD My Tickets.
Question 10. How Long Will The Battery Last On My Token?
On the back of your token is an expiration date. The token will shut off approximately on that date. The token will no longer authenticate on or past that date.
Question 11. I Have Been Told My Token Is In Next Token Mode. What Does This Mean?
This can occur when your ID has failed to authenticate more than the preset number of times (the wrong passcode has been entered). This also occurs on random occasions even if you have previously authenticated so the system can validate the token is still in your possession.
- When you are prompted for the Next Token code
- Wait for the tokencode to change on your token.
- Enter ONLY the token code. Do not enter your PIN+tokencode.
Question 12. I Just Received A New Token, And It Is In New Pin Mode. What Does This Mean?
You are in New PIN mode because your token is not yet associated with a PIN, which is required for two-factor authentication. All new tokens will be in this mode, even replacement tokens.
How to create your own PIN:
- Please go to https://agencytokens.nasa.gov
- Using your NEW token, enter only the token code. Do Not Enter Your Pin.
- You will be prompted to create a new pin.
- Please create an 8 character alphanumeric PIN. Do not use special characters. Do not enter more than an 8 character alphanumeric PIN.
- Once a new PIN has been created the system will ask you to authenticate using the PIN and tokencode.
- You can then return to VPN login site.
- If your token is about to expire and you received a new token, please turn the token into the point of contact that issued your replacement token or drop the token off to JSC RSA Support representatives at Bldg 8. (WSTF users at the ACES center POC Martin Seeley).
Question 13. I Logged On To The Jsc Vpn And It Says “new Pin Required”. What Does This Mean?
You have been asked to create a new Personal Identification Number (PIN) before you can sign in. This is likely due to your previous PIN requiring a change to meet NASA PIN policy requirements.
How to create your new PIN that meets agency requirements:
- The PIN must be EXACTLY eight characters in length
- The PIN must be alpha-numeric (containing BOTH letters and numbers and is not case-sensitive)
- The PIN must NOT contain any special characters
- To continue logging in, please wait for the code on your SecurID token to change and then enter your NEW PIN followed by the SecurID token code when logging in again with your Username (and Password if required).
Question 14. I Have More Than One Token, All But One Has Been Disabled How Might This Have Happened?
When a user has more than one token, any login failure will account against all the tokens assigned to the user. A successful login will clear the failure counter against only the token being used. Over time, it is possible that the failure count on 1 or more tokens has accumulated without a corresponding successful login which will result in those tokens being disabled. It is recommended that a failure to login with one token should be followed up by logging in successfully on all other tokens you have assigned to your profile.
Question 15. My Token Is Not Working On A Server I Have Access To. Who Should I Contact?
Contact the administrator of the system you need access to.
Question 16. What Do I Do If My Token Is Damaged Or Stops Working?
- Take the token to the JSC RSA Support representatives at Bldg 8. The RSA RA’s will determine if it needs to be replaced.
- If the token needs replacement, a new token will be issued.
- If not, they will get it working again (physical operation issues only).
Question 17. Are Pins Alphanumeric Or Numeric?
Both; PINs must be exactly eight (8) characters, alphanumeric, and must contain at least one letter. Do not use special characters.
Question 18. What Pin Length Is Used?
PINs must be exactly eight (8) characters.
Question 19. My Token Only Works About Every 60 Seconds. What Is Wrong?
Token codes cannot be re-used. The Token hardware cycles those codes every 60 seconds. Once a code has been used you must wait for the display to change the tokencode in order to login elsewhere.
Question 20. A User With A Token Is Leaving Employment, What Should Be Done With The Token?
All Government equipment must be turned in when leaving employment, including RSA tokens. IRD RSA tokens should be returned by the parent organization to the JSC RSA Support representative, Bldg.8. ACES will need to remove all user account information from the token. There are rare exceptions for some offsite users when tokens are reassigned. If you have any questions or concerns about the process, please contact the Enterprise Service Desk, 877-677-2123, opt 2, or create a ticket in ESD My Tickets.
Question 21. What Is The Process For Shipping A Token To A Remote Us Citizen Located Within The Country?
ACES will ship tokens but not internationally. Users that are close enough to drive on-site will not be mailed a token.
Question 22. If A Token Leaves A Distributers Control Does It Need To Be Disabled?
Yes. NASA requires that all tokens being shipped be disabled. An example would be if a token needs to be mailed to an off-site user. Also, if you are requesting a token for another user please make it clear in the request that the token is being shipped so the token can be disabled before shipment.
Question 23. How Do You Re-enable A Token?
A user with a disabled token should contact the Enterprise Service Desk at 1-877-677-2123, opt 2, or create a ticket in ESD My Tickets to enable the token. If you are responsible for shipping a token to a user, please make sure it’s disabled and coordinate with the user so that they know to contact the Enterprise Service Desk to enable the token before trying to use it.
Question 24. Can I Hand Deliver Rsa Tokens To Us Citizens Stationed Abroad?
Yes. If authorized by the associated security official (OCSO) to sign for and pick up the tokens, a US citizen can hand deliver tokens to US citizens stationed abroad as long as they maintain custody to the final destination (end user).
Question 25. Can I Use My Rsa Token At Other Nasa Centers?
If you are visiting another NASA center, you can use your TFTI RSA token at NASA centers that allow institutional Two Factor Token Infrastructure (TFTI) RSA token access to resources your token currently allows access to.
If you are moving to another NASA center, you will need to return your TFTI RSA token to the issuing center.
Networking Interview Questions
Active Directory Interview Questions
Scrum Interview Questions
RSA Archer GRC Interview Questions
Desktop Support Interview Questions
Networking Interview Questions
Virtual Private Network (VPN) Interview Questions
Active Directory Interview Questions
Scrum Interview Questions