Beginning Monday, Aug. 5, all Fermilab VPN users will be required to use multifactor authentication via a YubiKey or an RSA token.
If you do not have a YubiKey or RSA token, you must get one immediately in order to use VPN beginning Aug. 5.
Your options are:
- YubiKey: a hardware device that you can plug into a USB port. YubiKeys are restricted to Fermilab employees. Citrix portal users who use a YubiKey to access business and financial applications may also use the YubiKey to access VPN.
o To obtain a YubiKey: visit the Fermilab Service Desk on the Ground Floor of Wilson Hall. Be sure to bring your Fermilab ID badge.
- RSA soft token: an app token that is installed on your cell phone (There is no app for laptops or desktops). NOTE: While the soft token is installed on your cell phone, you would continue to access the VPN system the same way you do today, using your PC, desktop computer, tablet or phone.
- RSA hard token: a battery-powered device that displays a unique number every 60 seconds.
o To obtain an RSA soft or hard token:
1. Log in to the Service Desk web portal, https://servicedesk.fnal.gov with your Services account.
2. In the search box type “rsa.”
3. Click “RSA Token Request.” There will be options to request either a soft token (which will be emailed to you) or a hard token (which you need to pick up at the Service Desk, or, if you are a remote user, you can specify a mailing address.)
Instructions for using your YubiKey or RSA token to access the Fermilab VPN system is available in the article at https://fermi.service-now.com/wp?id=kb_article&sys_id=KB0013046
Additional how-to documentation:
- How to install an RSA token on an iOS (iPad or iPhone), Android and Windows mobile device
- How to connect to Fermilab VPN using an RSA token or a Yubikey
- YubiKey Setup and Diagnostic Guide for Windows (for lab employees who also access financial or HR data via Citrix portal)
- YubiKey Setup and Diagnostic Guide for macOS (for lab employees who access financial or HR data via Citrix portal)
- Fermilab certificates for non-centrally managed Mac users (for Mac users whose machines are not managed by Fermilab technical support; additional certificates must be installed in order for you to use the VPN system beginning Aug. 5)
The MFA at Fermilab website (available on-site or via VPN) also has FAQs.
If you have any questions about this announcement, email email@example.com.