Posted Date:December 29, 2014
| Author: | Pamela Eliadis, Service Director, System Operations & Aid Delivery Management, Federal Student Aid |
Subject: TFA Information - Transition to Soft Tokens
We are pleased to announce that an alternative to the Two Factor Authentication (TFA) physical token is now available for users of Federal Student Aid data systems. Instead of using the physical token to generate the One-Time Password (OTP), a user now has the option to use a "soft token." The soft token is an application (app) on the user's mobile device that automatically generates the OTP when the app is opened.
In this announcement, we provide a summary of this convenient alternative for TFA, explain why we highly recommend the transition to a soft token, and provide step-by-step instructions. In addition, we answer commonly-asked questions about switching to a soft token.
Note: We ask that all users consult with their Primary Destination Point Administrator (PDPA) prior to transitioning to a soft token, particularly if the organization has a limit on use of mobile devices in the workplace. If a user receives approval to transition to a soft token, the PDPA must collect and store the unused physical token.
Transition to Soft Tokens – Overview
TFA is the security process through which an authorized user is required to enter two forms of "authentication" to access one of our Federal Student Aid systems. Systems that currently require TFA include the Common Origination and Disbursement (COD) Web site, eCampus-Based (eCB), eCDR Appeals, Experimental Sites, FAA Access to CPS Online, Financial Partners Datamart, National Student Loan Data System (NSLDS) Professional Access, and Student Aid Internet Gateway (SAIG) Enrollment.
TFA requires each authorized user to log in with an FSA User ID and password as well as provide an OTP generated by a registered token device. Since 2011, we have distributed physical "key fob" tokens to users. This kind of token is in the physical possession of the user: to generate an OTP, the user presses the button on the front of the token.
The soft token is an app that runs on the user's mobile device. After downloading and registering the free Symantec VIP Access app on a phone or tablet, a user simply opens the app and an OTP is automatically generated. The app continues to generate an OTP every 30 seconds as long as the app is open, and includes a countdown clock. VIP Access is available for most iOS, Android, Windows, BlackBerry, and BREW-enabled devices.
Transition to Soft Tokens – Recommended for All Users with PDPA Approval
Use of a soft token is optional at this time. However, users who have a compatible mobile device and who have received approval from their PDPA are highly encouraged to transition to the soft token app. A soft token provides the same high level of security as the physical token, while offering greater convenience as there is no additional hardware to carry. In addition, with a soft token a user does not need to be concerned about the token's battery life.
Transition to Soft Tokens – Step-by-Step Instructions
The first attachment to this announcement provides step-by-step instructions for transitioning to a soft token. The information is for users who are currently using a physical token to log in to Federal Student Aid systems and who have received approval from their PDPA to switch to the soft token app.
The second attachment to this announcement provides detailed information on both the soft token app and the physical token, and is aimed at new users of TFA. We recommend that the document is stored by each institution's PDPA and be provided to staff during the enrollment process.
Note: As a reminder, a user must have an FSA User ID and password, prior to registering a token. To obtain an FSA User ID, go to "FSA User ID Registration" on the SAIG Enrollment Web site, provide identifying information, and follow the remaining registration steps. Once the registration process is complete, including establishing a password, the FSA User ID will be e-mailed to the user.
Transition to Soft Tokens – Questions and Answers
We present the remaining key information about the transition to soft tokens in question and answer format below.
Q1: What do I need to do to transition to a soft token?
A1: If you have received approval from your PDPA and are ready to transition from a physical token to a soft token, follow the instructions in the first attachment to this announcement, titled "How to Switch from a Physical Token to a Soft Token." The entire process should take no more than 15-20 minutes, and your new soft token will be ready for immediate use.
If you are a new user of TFA, review the information in the second attachment to this announcement, titled "How to Install and Register a TFA Token for New Users," and consult with your institution's PDPA.
Q2: Can I have more than one soft token (e.g., on a phone and on a tablet), or a physical token and a soft token?
A2: No, each FSA User ID can only be associated with one token (one physical token or one soft token) at a time. When you register your soft token, your physical token will be disabled.
Q3: What do I do with the physical token, once I have transitioned to the soft token?
A3: You must return the physical token to your institution's PDPA for storage or use by another employee. Do not send the physical token back to the Department.
Q4: Can I switch back to a physical token if I need to?
A4: Yes. You will need to re-register the physical token using the "Replace and Register" option in the TFA self service menu. Begin by choosing "Register/Maintain Token" from the login screen of the Federal Student Aid system you need to access and follow the steps. If you need assistance, contact the TFA Support Center at 800/330-5947, option 2 or by e-mail at TFASupport@ed.gov.
Q5: What if I replace my mobile device?
A5: If you replace your mobile device, you will need to download the VIP Access app and complete the registration steps again.
Q6: What if I update the iOS or operating system on my mobile device?
A6: Updating the operating system should not impact your use of the VIP Access app.
Q7: Is there a cost associated with the soft token?
A7: We recommend using Wi-Fi if possible when downloading the VIP Access app to your mobile device. The app is free; however, carrier charges may apply for download and activation. A mobile data plan with Internet access is required. Federal Student Aid is not responsible for any data charges incurred when downloading the app. Once activated, using the VIP Access app does not transfer data to or from your mobile device.
Q8: What if I do not have a compatible mobile device?
A8: We will continue to provide physical tokens to users who do not have a compatible mobile device or who cannot use a soft token for other reasons, such as a workplace limit on use of mobile devices.
Contact Information
If you have questions about TFA or the use of a soft token, contact the TFA Support Center at 800/330-5947, option 2 (TDD/TTY 800/511-5806) or by e-mail at TFASupport@ed.gov.
For questions specific to downloading or installing an application on your mobile device, we recommend you contact the manufacturer or vendor of the device.