We would like to remind professional users of Federal Student Aid (FSA) systems and websites that Two-Factor Authentication (TFA) tokens, which generate the one-time passcode (OTP) required to log in to many FSA systems and websites, must not be shared. One authorized user—identified by a unique FSA User ID—is permitted per token.
In the near future, we will send an email to the Primary Destination Point Administrator (Primary DPA) at each institution that appears to have users sharing TFA tokens. The email will include detailed instructions for the Primary DPA to follow to resolve the issue and will provide contact information if the Primary DPA has questions.
If steps are not taken by the Primary DPA in response to the email, we will remove users from tokens that are being shared by multiple FSA User IDs. Until another token is provided to and registered by each individual user, access to Federal Student Aid systems will be lost.
Note: In most cases, a TFA token that has multiple FSA Users IDs assigned to it is not being shared by multiple users but appears to be, either due to the token being inherited by a new employee, an employee changing his or her name, or other more uncommon situations. The Primary DPA should work with us to determine the best solution for these situations and ensure only one authorized user is registered to each TFA token.
Requesting Additional Tokens
After reviewing the email and ensuring tokens are not being shared by the institution’s users, the Primary DPA may need additional tokens. Instructions for requesting additional tokens will be included in the email. As a reminder, please allow 5-10 business days for shipping.
Alternatively, users have the option to use a "soft token." The soft token is an application (app) installed on the user's smart phone. For more information on this alternative, refer to the December 29, 2014 Electronic Announcement on the Information for Financial Aid Professionals (IFAP) website.
Note: Some institutions limit the use of mobile devices in the workplace. Users should always first consult with their Primary DPA, prior to transitioning to a soft token.
Contact Information
We appreciate the attention of Federal Student Aid system users to this important reminder. If you have questions, please send an email to TFA_Communications@ed.gov.