Skip to main content

Resetting Your Multi-Factor Authentication (MFA)

User Roles:

AM

AR

AC

D

Program Components:

User Management

Activating and maintaining Multi-Factor Authentication (MFA) for your RDS Secure Website user account is critical to ensuring your Plan Sponsor meets its Application and Reconciliation Deadlines and experiences all the benefits of participating in the RDS Program.

Individuals are responsible for maintaining and protecting their RDS Secure Website account access. Updated Federal security policies require that each RDS Secure Website account must activate Multi-Factor Authentication (MFA) prior to accessing the RDS Secure Website. Users must enter their Login ID, Password, and MFA token to access the Secure Website. 

Federal Security Regulations require that a user log in to CMS' RDS Secure Website (SWS) at least once every 180 days to maintain an active account. Active user accounts are required to perform many tasks in the RDS Program, such as completing and submitting applications and completing Reconciliation.  

MFA may only be configured on one device at a time, such as a smart phone or tablet. If you have a new device that you need to sync to the RDS Secure Website, or your current MFA is no longer working, you’ll need to reset MFA. For detailed guidance on how to reset MFA, refer to the instructions below that are associated with the type of device you are using.  

You may also refer to the illustrated step-by-step instructions in the MFA User Guide section.

Included in this Technical Article are the following topics:

IMPORTANT: Please note that the exact steps and icons displayed on your device may vary depending on the version of the phone or version of Google Authenticator you are using. Please refer to the online instructions associated with your exact device as needed.

How to Reset MFA on an Apple/iOS Device After it’s Been Activated

Resetting MFA consists of three steps:

  1.    Removing any previous RDS account from within Google Authenticator
  2.    Account Verification
  3.    Resetting MFA

Note: Do not uninstall the Google Authenticator app from your device to reset your MFA. You only need to delete the RDS account entry from Google Authenticator using the instructions below.

Step 1: Removing RDS Account from Google Authenticator

  • 1a. Open Google Authenticator (GA).
  • 1b. Tap the pencil icon to enter edit mode.
  • 1c. Tap the existing RDS account entry so that a red check mark appears in the circle to the left of the entry.
  • 1d. Tap Delete at the bottom of the screen.
  • 1e. Tap ‘Remove Account’ from the confirmation window to confirm deletion of the account.
  • 1f. Tap the check mark at the top right of the screen to leave edit mode.

Step 2: Account Verification

  • 2a. Go to the RDS Program Website: https://www.rds.cms.hhs.gov/
  • 2b. Select the Manage MFA Settings button at the top right of the page.
  • 2c. On the Validate Person Information page:
    • i. Enter your Email Address currently on file with RDS.
    • ii. Enter your Date of Birth.
    • iii. Enter your United States Social Security Number.
    • iv. Click Continue.

Step 3: Resetting MFA

  • 3a. On the Manage Multi-Factor Authentication Settings page, select the Setup Google App button from the Reset Google Authenticator Settings section. A new QR code (the black and white square pattern) will display on the page.
  • 3b. While you’re on the Activate Multi-Factor Settings page, open the Google Authenticator app on your device.
  • 3c. Within the Google Authenticator app on your device, tap the plus (‘+’)  sign.
  • 3d. Select ‘Scan barcode’ and hold your device up to the computer screen so that the QR code is within the camera window.
    • If you're having trouble scanning the QR code with your device, tap 'Manual entry'.
      • i. Manually type a name for the new entry into the ‘Account’ area (this can be whatever you want, but we suggest 'RDS_SWS').
      • ii. Manually type the Secret Key that’s displayed on the screen into the ‘Key’ area of your app.
      • iii. Make sure ‘Time based’ is turned on (the button is blue and positioned toward the right of the indicator bar).
  • 3e. The Google Authenticator app will create a new ‘RDS_SWS’ entry within the app (the exact name of the entry may vary depending on the versions you are using and if you customize the account name, but they all generally indicate the RDS SWS in some fashion).
    • This entry will display a unique 6-digit token that automatically changes every 30 seconds—this is your MFA token!
  • 3f. Type the 6-digit token from your device into the Google Authenticator Token field in the Secure Website and click Activate. Do not enter any spaces; enter only the six numeric digits, e.g., 123456.
    • The token changes every 30 seconds. Make sure that when you enter the 6-digit token into the Google Authenticator Token field of the Secure Website, the number on your device hasn’t already changed to a new one. If it has, you need to enter that new number, and so on. Consider waiting until the number just changes, so you have the full 30-second window to work with.
    • If you receive an error on the code validation, you can use the Time sync feature on the Authenticator app to ensure your device clock is in-sync with Google’s clock. For Apple users refer to https://support.apple.com/en-us/HT203483.
  • 3g. After you enter the 6-digit token, without spaces, into the Google Authenticator Token field and it is accepted, you’ll get a Google Authenticator Activation Successful pop-up window (we do not send a confirmation email). You’re done! You can click Continue and log into the Secure Website immediately with your new token!

Remember…when you log in:

  1. Enter your Login ID.
  2. Carefully enter your current Password.
  3. Open Google Authenticator on your device.
  4. Find the RDS account entry and type the 6-digit token that’s displayed into the MFA Token field. 
  5. Click Login while the token is still displayed (if it changes, enter the new token and click Login); don’t enter any spaces. You might want to wait until the number just changes, so you have the full 30-second window to work with.
  6. Get to work!

Note: The user account is locked after multiple incorrect attempts to enter the Login information. To reset a Password, refer to Change Password if Account is Locked. Passwords can be changed five (5) times in a 24-hour period. If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.

How to Reset MFA on an Android Device After it’s Been Activated

Resetting MFA consists of three steps:

  1.  Removing any previous RDS account from within Google Authenticator
  2.  Account Verification
  3.  Resetting MFA

Note: Do not uninstall the Google Authenticator app from your device to reset your MFA. You only need to delete the RDS account entry from Google Authenticator using the instructions below.

Step 1: Removing RDS Account from Google Authenticator

  • 1a. Open Google Authenticator (GA).
  • 1b. Find the RDS account entry and hold your finger on it until the phone vibrates. 
  • 1c. Click the trashcan icon.
  • 1d. Tap 'Remove Account' from the confirmation window to confirm the removal of the account and to leave edit mode.

Step 2: Account Verification

  • 2a. Go to the RDS Program Website: https://www.rds.cms.hhs.gov/
  • 2b. Select the Manage MFA Settings button at the top right of the page.
  • 2c. On the Validate Person Information page:
    • i. Enter your Email Address currently on file with RDS.
    • ii. Enter your Date of Birth.
    • iii. Enter your United States Social Security Number.
    • iv. Click Continue.

Step 3: Resetting MFA

  • 3a. On the Manage Multi-Factor Authentication Settings page, select the Setup Google App button from the Reset Google Authenticator Settings section. A new QR code (the black and white square pattern) will display on the page.
  • 3b. While you're on the Activate Multi-Factor Settings page, open the Google Authenticator app on your device.
  • 3c. Within the Google Authenticator app on your device, tap the plus ('+') sign.
  • 3d. Select 'Scan a QR barcode' and hold your device up to the screen so that the QR code is within the camera window and tap ADD ACCOUNT.
    • If you're having trouble scanning the QR code with your device, tap ‘Enter a setup key’ after you click the plus ('+') sign.
      • i. Manually type a name for the new entry into the ‘Account’ area (this can be whatever you want, but we suggest 'RDS_SWS').
      • ii. Manually type the Secret Key that’s displayed on the screen into the ‘Key’ area of your app.
      • iii. Make sure ‘Time based’ is turned on (the button is blue and positioned toward the right of the indicator bar).
  • 3e. The Google Authenticator app will create a new ‘RDS_SWS’ entry within the app (the exact name of the entry may vary depending on the versions you are using and if you customize the account name, but they all generally indicate the RDS SWS in some fashion).
    • This entry will display a unique 6-digit token that automatically changes every 30 seconds—this is your MFA token!
  • 3f. Type the 6-digit token from your device into the Google Authenticator Token field in the Secure Website and click Activate. Do not enter any spaces; enter only the six numeric digits, e.g., 123456.
    • The token changes every 30 seconds. Make sure that when you enter the 6-digit token into the Google Authenticator Token field of the Secure Website, the number on your device hasn’t already changed to a new one. If it has, you need to enter that new number, and so on. Consider waiting until the number just changes, so you have the full 30-second window to work with.
    • If you receive an error on the code validation, you can use the Time sync feature on the Authenticator app to ensure your device clock is in-sync with Google’s clock. For Android users refer to https://support.google.com/accounts/answer/2653433?hl=en.
  • 3g. After you enter the 6-digit token, without spaces, into the Google Authenticator Token field and it’s accepted, you’ll get a Google Authenticator Activation Successful pop-up window (we do not send a confirmation email). You’re done! You can click Continue and log into the Secure Website immediately with your new token!

Remember…when you log in:

  1. Enter your Login ID.
  2. Carefully enter your current Password.
  3. Open Google Authenticator on your device.
  4. Find the RDS account entry and type the 6-digit token that’s displayed into the MFA Token field. 
  5. Click Login while the token is still displayed (if it changes, enter the new token and click Login); don’t enter any spaces. You might want to wait until the number just changes, so you have the full 30-second window to work with.
  6. Get to work!

Note: The user account is locked after multiple incorrect attempts to enter the Login information. To reset a Password, refer to Change Password if Account is Locked. Passwords can be changed five (5) times in a 24-hour period. If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.

Thank you for your continued participation in the RDS Program! For additional support, please contact CMS’ RDS Center.

Page last updated:

Related Content