Multi-factor authentication required for offsite access to email and O365

By April 30, 2020, all email account holders and O365 application users who are offsite and not using VPN will be required to use multifactor authentication (MFA) to access their Fermilab email account and O365 applications such as Microsoft Word and Excel.

Due to the high volume of employees who will be impacted by this change, the MFA requirement will be rolled out over a period of several weeks (see schedule at the bottom of this email). You will receive an email from the Service Desk prior to your rollout date. Please note that you will not be prompted for an MFA passcode while on the fgz network, only while offsite and not using VPN.

In the meantime, we strongly encourage you to ensure you possess an RSA token now (instructions below).

What is the impact to you?
Once your group has been switched to use MFA, you will have to use an RSA token when you attempt to access your Fermilab email or O365 application while offsite and without VPN. YubiKeys will not work for accessing email.

What do you need to do?
Obtain an RSA token at your earliest convenience to avoid an interruption in accessing your Fermilab email account while offsite. 

There are two types of RSA tokens:

  • The software token (“soft token”) is an app that you install on your mobile device. The app cannot be installed on a laptop or desktop computer, but you can use the app to generate your passcode regardless of which device you are using to access email.
  • Otherwise, you can use the hardware token (“hard token”), a small hardware device that you can attach to a keychain.

To obtain an RSA soft or hard token:

  • If you would like a soft token, or if you would like a hard token and will not be at the lab within the next several weeks:
  1. Log in using your Services account to the Service Desk website,
  2. In the search box, type “rsa.”
  3. In the search results, click the link, “RSA Token Request.
  4. Select either soft or a hard token. (Soft tokens are delivered via email. If you need a hard token and will not be at the lab, you can specify a postal address where it can be mailed.)
  • If you would like a hard token and you are onsite, you can visit the Service Desk on the Wilson Hall ground floor to obtain the token directly.

Read the  MFA at Fermilab frequently asked questions at for additional details. How-to documentation is available at  (both links require on-site/VPN access).

If you have any questions about this message, please contact the MFA for Email project team via email at


Roll-out schedule

March 17: CCD, OCIO
March 24: SCD
March 31: ND, LBNF
Apr. 7: AD, APS-TD, PIP-II
Apr. 21: PPD, visitors and contractors