This page contains answers to Common Questions about Multi-Factor Authentication (MFA).
- Is MFA required?
- When will MFA be required to log into the Secure Website?
- How do I activate MFA?
- The system isn't recognizing my Secure Website account. How do I resolve this issue?
- Can I use a token generator other than Google Authenticator?
- How do I get the Google Authenticator App?
- I don't have an Android or iOS device. How do I activate MFA?
- The Secure Website QR code won't scan. Is there an alternative?
- Can I activate MFA on multiple devices?
- The Google Authenticator token is not being accepted by the Secure Website.
- I re-registered and have a new Secure Website account; do I need to activate MFA again?
- How do I reset my MFA configuration?
- What is a text-enabled device?
- How do I change the text-enabled device number I already provided?
- What is a one-time token?
- I provided a text-enabled number but haven't received the Verification Code. What do I need to do?
- Do one-time tokens expire?
- Is there a limit to the number of times I can use a one-time token?
Is MFA required?
ANSWER: Yes, updated Federal security policies require that each RDS Secure Website account must activate Multi-Factor Authentication (MFA) prior to accessing the RDS Secure Website. Beginning in August 2019, you will be required to enter the time-sensitive unique token generated by Google Authenticator, in addition to your RDS Login ID and Password, to access the RDS Secure Website.
MFA activation only needs to be completed once for each new Secure Website Account, unless you are setting up a new MFA device or you need to reset your MFA token. Ensure you have received the registration confirmation email before activating MFA; you must have an active and valid RDS Secure Website account prior to activating MFA.
Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-1
Date Posted: 5/24/2019
Date Updated: 8/16/2019
When will MFA be required to log into the Secure Website?
ANSWER: Beginning in August 2019, you will be required to enter the time-sensitive unique token generated by Google Authenticator, in addition to your RDS Login ID and Password, to access the RDS Secure Website.
Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-2
Date Posted: 5/24/2019
Date Updated: 8/16/2019
How do I activate MFA?
ANSWER: You may activate MFA for your RDS Secure Website account by selecting the hyperlink in your registration confirmation email or by navigating to the RDS Program Website and selecting the Manage MFA Settings button.
MFA activation only needs to be completed once for each new Secure Website Account, unless you are setting up a new MFA device or you need to reset your MFA token. Ensure you have received the registration confirmation email before activating MFA; you must have an active and valid RDS Secure Website account prior to activating MFA.
Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information.
Refer to Multi-Factor Authentication or the MFA Activation Quick Start Guide for additional information.
Answer ID: 8000-3
Date Updated: 4/15/2022
The system isn't recognizing my Secure Website account. How do I resolve this issue?
ANSWER: Ensure you are entering your personal information exactly as it was entered during Registration. MFA activation only needs to be completed once for each new Secure Website Account, unless you are setting up a new MFA device or you need to reset your MFA token. Ensure you have received the registration confirmation email before activating MFA; you must have an active and valid RDS Secure Website account prior to activating or managing MFA.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-4
Date Posted: 5/24/2019
Date Updated: 8/16/2019
Can I use a token generator other than Google Authenticator?
ANSWER: No, the Google Authenticator App is the only third-party token generator that can be used for the RDS Secure Website. You may download the Google Authenticator App for an Android or iOS device. Download and install the Google Authenticator App from your device's App Store. Refer to the installation instructions associated with your chosen device for assistance. The download links within the Activate Multi-Factor Settings page will take you to an external page not controlled by RDS.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-5
Date Posted: 5/24/2019
Date Updated: 8/16/2019
How do I get the Google Authenticator App?
ANSWER: You may download the Google Authenticator App for an Android or iOS device. Download and install the Google Authenticator App from your device's App Store. Refer to the installation instructions associated with your chosen device for assistance. The download links within the Activate Multi-Factor Settings page will take you to an external page not controlled by RDS.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-6
Date Posted: 5/24/2019
Date Updated: 8/16/2019
I don’t have an Android or iOS device. How do I activate MFA?
ANSWER: Updated Federal security policies require that each RDS Secure Website account must activate Multi-Factor Authentication (MFA) prior to accessing the RDS Secure Website. Beginning in 2019, you will be required to enter the time-sensitive unique token generated by Google Authenticator, in addition to your RDS Login ID and Password, to access the RDS Secure Website. Android and iOS devices are the only device options CMS' RDS Center recommends for Google Authenticator.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-7
Date Posted: 5/24/2019
Date Updated: 8/16/2019
The Secure Website QR code won't scan. Is there an alternative?
ANSWER: Ensure you allow Google Authenticator access to your device's camera. Refer to the instructions associated with your chosen device for assistance. If you have a problem with scanning the QR code, select the Having trouble scanning the barcode box within the Activate Multi-Factor Settings page and manually enter the Secret Key into your Google Authenticator app.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-8
Date Posted: 5/24/2019
Date Updated: 8/16/2019
Can I activate MFA on multiple devices?
ANSWER: No, MFA may only be activated on a single device at a time. If you performed a factory reset of your MFA device or you need to activate your MFA with a new device, select the Manage MFA Settings button from the RDS Program Website, enter your registered information, and select the Setup Google App button on the Manage Multi-Factor Authentication Settings page to reset your MFA activation. A new QR code and associated Secret Key will be generated for you to enter into your device's Google Authenticator App. Any tokens generated by previous installations of Google Authenticator in the original or other devices will no longer work.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-9
Date Posted: 5/24/2019
Date Updated: 8/16/2019
The Google Authenticator token is not being accepted by the Secure Website.
ANSWER: Ensure you enter the Google Authenticator token exactly as it is displayed in your device's app. Ensure the token is still displayed on your device and hasn't expired and changed to a new token when you select the Activate button.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-10
Date Posted: 5/24/2019
Date Updated: 8/16/2019
I re-registered and have a new Secure Website account; do I need to activate MFA again?
ANSWER: Yes, just as each new account requires users to re-register, each unique RDS Secure Website account must activate MFA, even if the Secure Website role type associated with the new account is the same as the previous. Activation only needs to be completed once for each new Secure Website Account, unless you are setting up a new MFA device or you need to reset your MFA token. Ensure you have received the registration confirmation email before activating MFA; you must have an active and valid RDS Secure Website account prior to activating MFA.
Refer to Multi-Factor Authentication or the MFA Activation Quick Start Guide for additional information.
Answer ID: 8000-11
Date Updated: 4/15/2022
How do I reset my MFA configuration?
ANSWER: If you performed a factory reset of your MFA device or you need to activate your MFA with a new device, select the Manage MFA Settings button from the RDS Program Website, enter your registered information, and select the Setup Google App button on the Manage Multi-Factor Authentication Settings page to reset your MFA activation. A new QR code and associated Secret Key will be generated for you to enter into your device's Google Authenticator App. Any tokens generated by previous installations of Google Authenticator in the original or other devices will no longer work.
Refer to Multi-Factor Authentication or the MFA Reset Quick Start Guide for additional information.
Answer ID: 8000-12
Date Updated: 4/15/2022
What is a text-enabled device?
ANSWER: A text-enabled device is any device that has the capability to receive text (SMS) messages for user account management purposes, such as one-time tokens for Multi-Factor Authentication (MFA) and notifications for Request Forgotten Login ID, Forgot Password, Change Password If Account Is Locked, and Enable Your User Account. Registering a text-enabled device number during MFA activation is optional. However, if you do not register a text-enabled device with your RDS user account, one-time tokens and user account management notifications cannot be provided to you via SMS (text) message. For SMS (text) messages, there is no charge from CMS' RDS Center, however standard rates from your carrier may apply. Refer to your device's plan for guidance.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-13
Date Posted: 5/24/2019
Date Updated: 12/14/2023
How do I change the text-enabled device number I already provided?
ANSWER: In order to modify the text-enabled device number associated to your registered RDS Secure Website account, navigate to the RDS Program Website and select the Manage MFA Settings button. You will be prompted to provide your current, registered account information. After your user account has been successfully validated, follow the prompts to provide your new text-enabled device number.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-14
Date Posted: 5/24/2019
Date Updated: 8/16/2019
What is a one-time token?
ANSWER: A one-time token is a six-digit token that can be sent to your registered email address or registered text-enabled device in the event that your RDS MFA device is lost, damaged, or not working, and you are unable to reset your MFA configuration and need immediate access to the RDS Secure Website. One-time tokens expire 10 minutes after the request is made; if the token expires, users must request a new token.
Providing a text-enabled device number is optional. However, if you do not register a text-enabled device with your RDS user account, a one-time token cannot be provided to you via text (SMS) message. For text (SMS) messages, there is no charge from CMS' RDS Center, however standard rates from your carrier may apply. Refer to your plan for guidance.
One-time tokens are only to be used in cases of emergencies, when immediate access to the RDS Secure Website is necessary but you are not able to use Google Authenticator. One-time tokens cannot be the primary, recurring method of accessing the RDS Secure Website. Consequently, users can only use one-time tokens three consecutive times to log into the Secure Website. After three uses, users must use Google Authenticator to log in, at which time their one-time token use is reset back to zero.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-15
Date Posted: 5/24/2019
Date Updated: 8/16/2019
I provided a text-enabled number but haven’t received the Verification Code. What do I need to do?
ANSWER: Ensure your device is permitted to receive SMS (text) messages. Within the Text-Enabled Number pop-up window, enter your text-enabled device number and select the Send Verification Code button. Enter the verification code that is sent to your device and select Submit. The code may take a few minutes to be received.
If you do not receive the code after a few minutes, you may select the Resend Verification Code button to have another code sent to your device. Any previous codes will be invalidated.
If you need to change the number you provided, you may edit the text-enabled device number and select the Resend Verification Code button to have the code sent to the new updated number you entered. Any previous codes will be invalidated.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-16
Date Posted: 5/24/2019
Date Updated: 8/16/2019
Do one-time tokens expire?
ANSWER: Yes, one-time tokens expire 10 minutes after the request is made. If the token expires before it is used to successfully log into the Secure Website, users must request a new token. Tokens that expire and are not used to successfully log in do not count towards the limit of three allowable consecutive one-time token uses.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-17
Date Posted: 8/16/2019
Is there a limit to the number of times I can use a one-time token?
ANSWER: Yes, users can only use one-time tokens three consecutive times to log into the Secure Website. One-time tokens are only to be used in cases of emergencies, when immediate access to the RDS Secure Website is necessary but you are not able to use Google Authenticator. One-time tokens cannot be a primary, recurring method of accessing the RDS Secure Website. After three uses, users must use Google Authenticator to log in, at which time their one-time token use is reset back to zero.
Refer to Multi-Factor Authentication for additional information.
Answer ID: 8000-18
Date Posted: 8/16/2019