Two Factor Authentication

Follow-up Steps required:

You MUST log into your computer on a DOI network (or through VPN) to allow your new certificates to be applied to your computer.

Sign On into Windows by inserting your card and entering PIV Card PIN when prompted.  If you get a failed message, retype your PIN. Tab down to the hint field and type gs\userid (ie gs\jdoe).

The attribute altSecurityIdentities must be populated with your new certificate in AD before you can login. The sync from DOIAccess to Active Directory can take up to an hour to complete. If the altSecurityIdentities field has not sync’d yet, you may receive the following message:

If you are a Teleworker BEFORE WORKING FROM HOME, you should test your VPN connection while in the office. Start by removing your old cached certs.

Open Edge, click the three dots in the top right -> Settings -> Privacy, search, and services tab or browse to edge://settings/privacy

 Under Security, click Manage certificates

Remove any cert with your name or Geological Survey and an expiration date older than the current calendar year. Click Yes at the warning prompt.

Also, if you save your cert in Ivanti, you will need to remove that saved cert as well.

Open Ivanti > File > Connections > Forget Saved Settings

Now choose a connection point in Ivanti and connect. Ensure a valid connection.

** NEW PIV Card issued?  You must go to facilities and have your building access updated.
For Help contact:
USGS IT Help Desk phone: 703-648-4357

The use of Two Factor Authentication (TFA) is currently enforced for Windows clients. Windows Server is not currently in scope, but will eventually have TFA enforcement as well.

The use of TFA facilitates daily login via the use of the 6-8 digit PIN instead of the 12 character AD password.  It is important to note that although employees may welcome the ability to login with a PIN instead of a password, the AD password will need to be maintained and reset as it is today.

Overview

Two Factor Authentication (TFA) on USGS systems will be enforced by means of an Bigfix fixlet which creates a scheduled task that monitors the network connection on the local client machine for changes in network connectivity. When a change in connection is detected, a PowerShell script runs silently in the background and enables or disables enforcement. The overall process of TFA enforcement is explained below:

1. Determine whether or not the computer is connected to a DOI network (based on accessibility to an internal share).
   1. IF NOT on a DOI Network: Disable smart card requirement to allow logon using cached AD credentials, however smart card logon still possible.
   2. IF ON a DOI Network:
      1. Check to see if an exception exists for the computer to be exempted from smart card logon.
         1. IF Exception Exists: Disable smart card requirement to allow logon using AD credentials.
         2. IF Exception Does NOT Exist: Enable the smart card logon enforcement and enforce the policy by locking the screen.

It should be noted that the client is continuously monitored and the appropriate enforcement setting will be applied depending on the network connection. For example, if a user’s system is not connected to a DOI network during initial logon, then the user can log in with his or her AD credentials. If, at any time during that session, the user connects to a DOI network and an exemption for their system does not exist, then the script will lock the user’s system and require them to unlock it using their smart card.

Requirements

The following are required for TFA enforcement on USGS systems:

• Windows client or MAC. Mobile devices are not included in the scope (Android, iPad/iPhone, etc)
• The BigFix client must be installed on the system.
• Internal or external FIPS-201 compliant smart card reader.
• An activated DOIAccess PIV credential and a known PIN.

It is highly recommended that users logon with their smart card while on the DOI network before travel or telecommuting to ensure the smart card credentials are cached on the system. This should be done for all accounts (such as an -ou or -pr), should the user have multiple accounts. Click here for more information on logging on with a privileged account using your smart card.

ActivClient Middleware

ActivClient was required to use a smart card on a Windows XP or Server 2003 system, but beginning with Windows 7 the functionality provided by ActivClient is now built in to the operating system. The ActivClient software is therefore not required unless that system serves as a Light Activation Station (LAS)/Mobile Credentialing Unit (MCU. ActivClient has been known to cause problems with Remote Desktop Connections. See Known Issues below for more information.

Smart Card Logon Procedures

Windows 10

1. Insert smart card into card reader, press “Ctrl-Alt-Del”, and press OK to accept the security warning banner
2. Click on the “Smart Card” icon or click “Sign-in Options” if the “Smart Card” icon is not displayed.
3. Type in your PIN and click OK
4. Removing the card DOES NOT lock the console in Windows so one must remember to manually lock the console if needed. The console will, however, lock after 15 minutes of inactivity regardless of whether or not there is a card inserted in the reader.

VPN Access Using Smart Cards

Requirements:

1. You must have a HSPD-12 PIV II smart card. If you have not yet received a smart card, or an email with instructions for obtaining one, contact your supervisor.
2. You will need a card reader. The one the USGS recommends is the SCM SCR331 or SCR3500 but many other models may work just as well.
3. If your system is not yet using Centrify, you will need some middleware to allow your system to read your smart card.  We recommend Centrify Express for Smart Card, which you can download here: Centrify-Express-For-Smart-Card-5.2.4-mac10.8 Other smart card middleware options include:
   • PKard for Mac
   • OpenSC
   • SmartCard Services (doesn’t work for browser logins)
4. If your system already has OpenSC installed and you want to remove it, run the following terminal command:sudo opensc-uninstall
5. Check to make sure your smart card is visible to Mac OS using Keychain Access (Top) or Centrify Express Card Reader Status (Bottom)
6. Follow instructions for installing and using https://tst.usgs.gov/applications/security/pulse-client/ to connect to VPN, or
7. Follow the instructions for logging into Bison Connect with a smart card from Mac OS.

---

If you have to have the certificates renewed on your smart card, you will need to clear the local token cache before the new expiration date will be recognized.

To clear your token cache, start a terminal session as someone with administrator privileges and run the following command:
sudo rm -rf /var/db/TokenCache/tokens/*

A reboot is recommended after clearing token cache.

Ubuntu

If you have purchased a laptop that is on contract it should have the necessary Smart Card reader slot. On Dell laptops the slot usually has an “SC” label next to it and may be on the right or left side of the chassis, depending on the model. See the FAQ section for more info. Some models of HP and Lenovo laptops with Alcor Smart Card readers have been found to not recognize the DOI PIV card. In most cases this problem was found to be the result of an incorrect driver installation. See the Known Issues section below for more information.

The following list of USB smart card readers have shown to be compatible with DOIAccess PIV cards:

• Dell Smart Card USB keyboard
• CHERRY KC 1000 SC Keyboard
• CHERRY SmartTerminal ST-1144 (suggested for Macs)
• HID OmniKey 3121
• HID OmniKey 4321 ExpressCard
• SCM SCR3500 (suggested for Macs)
• SCM SCR331 (suggested for Macs)
• SCM SCR333 3.5 inch bay internal
• SCM SCR3310v2.0 USB
• SCM SCR3340 ExpressCard
• SCM SCR243 PCMCIA

Back to top

You will need to know the PIN associated with your smart card in order use it for computer logon, VPN authentication, and digital signatures. The card will be locked after 6 incorrect attempts at entering the PIN. If a card is locked and your site has a Light Activation Station (LAS), contact the local Activator to have your PIN reset.

If your site does not have an activation station, you will need to visit the GSA Online Scheduling System in order to set up a time to visit an enrollment center to have your PIN reset. The steps are similar to those taken when setting up the original appointment to pick up your HSPD-12 Smart Card.

To make an appointment at a credentialing center:

1. Access the USAccess Assured Identity Scheduler.
2. To make an appointment, select your appointment type. Click “Continue.”
3. Find a credentialing center for your appointment. Once you have selected a center, click “Continue.” NOTE: Centers marked as “Shared” are open to all USAccess applicants. Centers that are marked as “Only” are limited to only employees and contractors of that agency.
4. Select a date and time for your appointment. Click “Continue.”
5. Provide your contact information.
6. Review the details of your appointment and if everything looks correct, click “Make Appointment.”

A PDF can be digitally signed using your DOI Access smart card. The screen shots may vary slightly from what is below as you are going through the process but are very similar. The second section of this document will explain how to configure Adobe Acrobat to verify DOI smart card signatures.

The Following video demonstrates how to create a digital signature in Adobe and sign it https://web.microsoftstream.com/embed/video/d81d9f9b-cd4e-4a79-b875-8889b1115c70?autoplay=false&showinfo=true

To digital sign a PDF with your Smart Card:

1. Insert your smart card into the computer’s smart card reader and proceed with opening a fillable PDF that requires a signature. You can also do this step after opening the document if needed.
2. Click on the signature field (there should be small red tab indicating signature field – you will need to click directly on the red tab). You may also sign any PDF by using the Place Signature function in Adobe Acrobat.

You will see the following popup (note the initial “Sign As” selection might not match the below screen shot):

Click on the drop down arrow and select your “Government Digital Signature Key” from the list. Note: If your smart card is not inserted, you might not see your name as a option.

Click Sign

You will be prompted to save the signed file. Give the signed version a new name, or you may overwrite the original document, and click Save.

You will be prompted for your smart card PIN. Enter your PIN and click OK. If you do not get prompted to enter your PIN, you may have selected a non-smart card signature from the “Sign as” drop-down list shown in above.

The form will now show your digital signature:

Adobe Acrobat must be configured to verify DOI smart card digital signatures or else the signature will show as unverified. The steps below illustrate how to properly configure Acrobat.

Open Adobe Acrobat as the user and select Edit > Preferences.

Click Signatures, then from the Verificationsection click More. (Note: The check box for Verify signatures when the document is opened can cause a slight delay when opening PDF documents).

Under the Windows Integration section, ensure the Validating Signatures and Validating Certified Documents boxes are checked. Check the desired options then click OK twice to complete.

You can optionally specify the reason for signing the document, the location, and your contact information. To do this click Signatures, then from the Creation & Appearance section click More.

After you apply these settings you should exit Acrobat and open the file previously signed with the smart card. It will take a few moments for it to load as it builds the links necessary for validation to work (Note: This should only occur the first time). When you right click on the signature field and select Validate Signature you can see if the signature is valid as shown below:

Back to top

General Information:
What is a PIV card?
What is the difference between a PIV card and a smart card?
Who is required to have a PIV card?
What information is stored on the PIV card?
What is strong authentication?
What is “Two Factor Authentication” (TFA or 2FA)?
How is Two Factor Authentication (TFA) more secure?
Why are we using PIV or smart cards?
What are the advantages of PIV cards over username and password?
What else is PIV card used for?
How do I obtain a PIV Card?
Is TFA enforcement based on user or computer?

PIV Logon:
How do I logon to a computer with a PIV card?
Where does the Smart Card insert into my Laptop?
How is this different from logging into Enterprise VPN?
Do I need to buy software to use with my PIV card?
Do I need to buy hardware to use with my PIV card?
Who will install the PIV card reader on my computer?
Will I be able to logon to more than one system at a time?
Will I be able to logon to all applications with the DOIAccess card?
Who do I contact if I have problems logging on?
How do I find the host name of my computer?
How will logging onto my computer with a PIV card affect things like MyUSGS, web services, high throughput computing, and other applications that need to authenticate against AD accounts, PR accounts, etc?
How does the DOIAccess card work for those with multiple Active Directory accounts?
I specified my privileged account in the username hint field, but I still can’t logon. Why?
How do I log on interactively with an Active Directory service account?
Will my workstation lock when I remove my Smart Card?
Why does my screen lock right after I connect back to the USGS network while in the office or right after I established a VPN session?
Do I need my DOIAccess card to unlock my workstation?
Will waivers/exemptions be approved for field laptops?
I’m teleworking and I’m attempting to login with my –Pr (Privilege) account, however, I’m unable to login neither with credentials nor with my PIV card and PIN. What do I do?
I’m attempting to login with Local Admin Credentials or an interactive service account to my TFA enforced machine policy while I’m in the office and I get this Windows message prompt. What should I do?

Personal Identification Number (PIN) and Password:
What is a DOIAccess PIN?
How do I change my PIN if I don’t remember it?
How often do I have to change my PIN?
How many times can I try my PIN before I get locked out?
Will a locked PIN get released after a period of time?
Is there a way I can test my PIN before attempting to logon to a computer or VPN?
If I know my DOIAccess PIN, can I change it without going to a GSA Credentialing Station?
Will I still have to remember my username and password?
How do I change my AD password when I’m logged in with my smart card?
How do I change an expired AD password on a TFA enforced computer?
How do I reset my AD password if I forgot it?

Forgotten, Lost or Stolen Cards:
What happens if I forget my PIV card?
What happens if my PIV card is lost or stolen?
What happens if I can’t find my card?
How do I find out who my card Sponsor is?

Card Maintenance:
What happens if I have a name change?
What happens if my card stops working?
Can an employee have more than one PIV card?

Certificate and Card Expiration:
What is a certificate?
Why do I see multiple certificates when I login?
How do I reauthorize my certificate(s) before they expire?
What happens if my certificate expires?
When does my DOIAccess card expire?

Applications:
What applications will still require passwords?
Can Citrix or similar Virtual Desktop Environment (VDI) be used with PIV for remote access?
When I login to Windows, will applications like SharePoint still use the ‘Use Current Logon Credentials’ feature that acts somewhat like single-sign-on?
How does TFA affect BeyondTrust (Bomgar)?

Mobile Devices, Remote Access and VPN:
Can I use my personal equipment to remotely access the DOI network for work activities?
When logging into VPN I get this error: “Invalid username or password. Please re-enter your user information.” Why?
How does a remote user cache their credentials after having their certs updated or receiving a new card?

Need More Help?:
Who do I contact if none of these items answer my question?

General Information

What is a PIV card?

A Personal Identity Verification (PIV) card is an official form of identification, and is a specific type of smart card. DOI provides smart cards with PIV, called DOIAccess cards, through the DOIAccess program to DOI personnel.

What is the difference between a PIV card and a smart card?

A smart card is a card with a computer chip embedded on it. A PIV card is a smart card with personal identity information on the face of the card and imbedded in the computer chip. The DOIAccess PIV card has your facial image, legal name, federal agency (DOI), affiliation (employee, contractor, etc.) and expiration date printed on the face of the card. The computer chip is the gold square at the bottom of the card and contains “certificates” with PIV information in them.

Who is required to have a PIV card?

Effective June 2009, the DOIAccess program requires all bureaus/office to complete the Personal Identity Verification (PIV) card for new personnel. A summary of the categories of personnel and the corresponding DOI Access requirements is found below. “Affiliates” are defined as volunteers, Scientist Emeriti, cooperators, visiting scientists, and so forth:

For all USGS Civil Service employees, DOI Access registration and all associated paperwork are required.

For contractors and other affiliates requiring regular and recurring physical access for 180 days or more, and (or) logical (information technology) access for any duration of time, DOI Access registration and all associated paperwork to initiate background investigation are required.

For contractors and other affiliates requiring only regular and recurring physical access for less than 180 days, only a favorably adjudicated Federal Bureau of Investigation (FBI) fingerprint check is required.

Contractors or other affiliates who require only intermittent physical access will be processed as visitors.

Visitors who require logical (information technology) access must either be restricted to an internet only zone or through a technical solution that allows access to only those resources deemed necessary for mission related activities. Technical solutions for restricted internal logical access specific to a visitor’s mission must be documented in a request memorandum from the site IT Security POC and be pre-approved by the Information System Security Officer and the System Owner or no access other than “Internet only” will be granted.

What information is stored on the PIV card?

To prove the identity of the Credential Holder to the card, a PIN is stored. Card management keys are stored to prove the identity of the card management system to the card. To prove the identity of the Credential Holder to an external entity, such as a protected computer system, the card stores a Credential Holder Unique ID (CHUID), two biometric fingerprints, symmetric keys, and asymmetric keys. A digital facial image is stored on the card along with the Credential Holder’s name, Agency, and card expiration date. No other personal biographic data is stored on the card.

What is strong authentication?

Strong authentication is the use of multiple elements to permit access. Elements can include knowledge, a physical object or a biological signature. Multiple elements of knowledge would be numerous questions with given answers, passwords or phrases or numbers. A physical element would be something a person has physical possession of (a card, a key generator, a cell phone). A biometric element is something the person is (a fingerprint, retinal scan, a typing pattern). Each of the elements must be independent of the others so that if one is obtained the other remains secure. Multi-factor authentication requires at least two different element types and is most commonly implemented as “two factor authentication”. DOI Memorandum 09-06 (March 2009) established the DOI physical and logical access program, DOIAccess.

What is “Two Factor Authentication” (TFA or 2FA)?

A PIV enabled smart card is a form of two factor authentication, meaning it requires two factors (elements) to work. Typically, in civilian government, two-factor authentication is something you have and something you know. You have a PIV card and know a Personal Identification Number (PIN) uniquely keyed to your card. The card and the PIN are legal validation that only you, the card owner, have performed actions using your card and PIN. It is your responsibility to safeguard both the card and the PIN!

How is Two Factor Authentication (TFA) more secure?

Two-factor authentication (TFA) means two different types of items, e.g. something you have and something you know, have to be used together for logon. As long as you have your DOIAccess card in your possession, and maintain the secrecy of your PIN, nobody else can log on to the DOI network and access the information you are responsible for. It is critically important never, under any circumstances, to “loan” the DOIAccess card to any other person or give them your PIN, whether an assistant, supervisor or help desk. It is never appropriate for a help desk or supervisor to ask for another employee’s PIV card or PIN, and it is never appropriate to offer your own PIV card or PIN to anyone.

Why are we using PIV or smart cards?

All federal agencies must move to the use of strong authentication (PIV, smart cards) for network access. President George W. Bush in August 2004, signed Homeland Security Directive 12 (HSPD-12) which was supplemented in 2011, by Office of Management and Budget (OMB) Memorandum 11-11, mandating an interoperable federal identity infrastructure be used across all agencies. DOI Memorandum 09-06 (March 2009) established the DOI physical and logical access program, DOIAccess. DOIAccess is managed by the Identity Credential and Access Management (ICAM) office.

What are the advantages of PIV cards over username and password?

Password management is a burden for each of us. How many passwords do you currently have? How long are they? How many times do you change the passwords each year? How do you keep track of all the passwords? Many write down passwords in unsecured places which can defeat their purpose which is to restrict access to only one authorized individual. Having a PIN # with 6-8 digits it is easier to remember than alphanumeric-character passwords.

What else is PIV card used for?

The PIV can be used for Digital signatures – you can currently digitally sign some PIV enabled documents such as the DOI Teleworking Approval form. Remember that a digital signature is the legal equivalent of your signature.

The PIV can also be used for Email encryption – your encryption certificates on the PIV card permit encryption of email attachments.

How do I obtain a PIV Card?

Information on how to get a Smart Card can be found at http://internal.usgs.gov/smartcards/.

Is TFA enforcement based on user or computer?

TFA will be enforced per computer, NOT per user. This means that when TFA is enforced on a computer, all users who log on to that system will need to authenticate using their smart card. However, if those same users were to log on to a computer that does not have TFA enforced, then they could authenticate with their smart card OR their AD credentials.

PIV Logon:

Where does the Smart Card insert into my Laptop?

If you purchased a laptop that on contract in the last few years you will have the necessary Smart Card slot. All Latitude family systems shipped with SC slots. The SC slot can be found on the left side of the laptop. The slot should be labeled SC.

This picture depicts the Location of the SC slot on a Dell D family system. The slot is located along the left side, below the wireless switch and speaker jacks.

This picture depicts the Location of the SC slot on a Dell E family system. The slot is located along the left side of the system.

How do I logon to a computer with a PIV card?

Refer to the procedures listed here.

How is this different from logging into Enterprise VPN?

It is different in that you will be required to use your DOIAccess card to log on to the computer itself if it is currently connected to the DOI Network. If it is not on a DOI network (ie. home or public network) you may use an AD username and password log on, however, when you establish a VPN session to connect to the DOI network the use of your DOIAccess card will be enforced again.

Do I need to buy software to use with my PIV card?

No, the functionality to read DOIAccess PIV cards is built into the OS. If the computer will be used as a Light Activation or Credentialing Station, then ActivClient will need to be installed. More information can be found here.

Do I need to buy hardware to use with my Smart Card?

I have a laptop purchased off of the DOI contract in the last few years.

The SC slot is either built into the laptop or was included as an external device.

I have a laptop that didn’t come with a SC reader.

After IT staff confirms that the laptop doesn’t have an SC reader, contact the Service Desk at servicedesk@usgs.gov or 703-648-HELP (4357) and they can assist with determining the correct smart card reader required for your system. Please note that the Service Desk does not actually provide smart card readers to users, only advice on what to purchase. Smart card readers may be purchased using government credit cards following the usual credit card purchasing guidelines. There is no contract for smart card readers. New laptop computers should be purchased with a built-in smart card reader, and desktops with a smart card reader on the keyboard.

The following list of USB smart card readers have shown to be compatible with DOIAccess PIV cards:

• Dell Smart Card USB keyboard
• CHERRY KC 1000 SC Keyboard
• CHERRY SmartTerminal ST-1144 (suggested for Macs)
• HID OmniKey 3121
• HID OmniKey 4321 ExpressCard
• SCM SCR3500 (suggested for Macs)
• SCM SCR331 (suggested for Macs)
• SCM SCR333 3.5 inch bay internal
• SCM SCR3310v2.0 USB
• SCM SCR3340 ExpressCard
• SCM SCR243 PCMCIA

Who will install the PIV card reader on my computer?

All Windows systems procured through the DOI contract either have a built in reader or come with a Smartcard Reader capable keyboard.

Will I be able to logon to more than one system at a time?

Yes, USGS policy allows simultaneous logons. You may use your DOIAccess Card to logon to one system, remove it and not have the system lock, then physically logon to another.

Will I be able to logon to all applications with the DOIAccess card?

Some applications require separate authentication and will not yet be able to use the DOI PIV Card. These systems will continue to use a username and password and a local (non domain/network) account to logon. BisonConnect currently “passes PIV authentication through” if you are physically in a DOI facility or connected to the network via VPN and TFA.  It is expected that programs such as Quicktime, FPPS, FBMS, Concur Government Edition (CGE) and other major bureau applications will become PIV enabled in the future.

Who do I contact if I have problems logging on?

Contact your local IT support or the USGS Service Desk at 703-648-HELP (4357).

How do I find the host name of my computer?

Windows: Right-click the Start button and click Command Prompt. At the command prompt type hostname and press Enter. the host name of your computer will be displayed.

Mac OSX: Click the Apple menu, then click System Preferences. Click Sharing and the host name will be listed next to Computer Name:.

How will logging onto my computer with a PIV card affect things like MyUSGS, web services, high throughput computing, and other applications that need to authenticate against AD accounts, PR accounts, etc?

There will be no impact when using your PIV smart card since you will still have the ability to logon with your AD account passwords as needed to access these applications. However, you will still be required to maintain your AD account passwords to ensure they do not expire.

How does the DOIAccess card work for users with multiple Active Directory accounts?

eComputing has mapped users’ certificates to their -PR and -OU accounts so that a single card can authenticate these network accounts as well. eComputing has also enabled Username hints as part of the USGS TFA roll-out. Using this functionality, users with -PR or -OU accounts can enter the desired account into the Username hint field along with their smart card PIN to authenticate as that account. The following example is from a UAC prompt while performing a “run as” operation, but Username hints are available for log on at the CTRL ALT DEL prompt as well.

For users with multiple AD accounts, it is recommended to always specify a user name in the user name hints field, even when logging on with a standard non-privileged account. The reason for this is that if the hints field is left blank, Windows arbitrarily selects a user name to map. Therefore, if you attempt to logon using your standard account and you do not specify a user name in the hints field, Windows may log you in with your -pr or -ou account. It has been observed that in many cases your standard account will be used even if the hints field is empty, so you may want to test on your account to confirm. But again, it is a recommended best practice to always specify a user name in the hints field to avoid confusion.

I specified my privileged account in the username hint field, but I still can’t log on. Why?

1) Make sure that the mail attribute of the -pr account is populated with the user’s email address. This is required in order for the user’s X.509 certificate to be mapped to their -pr account. Click here for more information.

2) If the problem is occurring when the computer is disconnected from a DOI network, the cause may be a lack of cached credentials for the account. The account should be cached for both AD and smart card credentials before attempting to log on off the DOI network. Refer to step 2 here for more details.

3) If you are still having a problem, open a ticket with the Service Desk for further assistance.

How do I log on interactively with an Active Directory service account?

Service accounts can be mapped to one or more IT Administrators’ smart card certificates. The administrator can then log on interactively by specifying the service account name in the Username hint field, just as they would if they were using their -pr or -ou account. To request a service account be mapped to your smart card credentials, send a request to the USGS Service Desk, specifying the account names to be mapped. Only requests from the local IT staff and COUAs will be processed.

Will my workstation lock when I remove my PIV card?

No, your workstation will not automatically lock when you remove your PIV card. It will, however, lock after 15 minutes of inactivity regardless of whether your PIV card is inserted in the reader or not.

Why does my screen lock right after I connect back to the USGS network while in the office or right after I established a VPN session?

This is expected behavior related to TFA enforcmenet. When your system is disconnected from the DOI network, TFA enforcement is disabled. However, as soon as the system connects to the DOI network, whether in the office or through VPN, TFA enforcement is enabled. The system locks and you will be required to log back in with your PIV card and PIN.

Do I need my DOIAccess card to unlock my workstation?

Yes, your DOIAccess card is required to unlock your workstation if you are connected to a DOI network.

Will waivers/exemptions be approved for field laptops?

TFA is only being enforced on a PER COMPUTER BASIS FOR DOI NETWORK ACCESS.  In other words, if the laptop is being used “out in the field” and therefore not connecting to the DOI network then TFA is not required. The user will be able to login with their cached AD credentials.

I’m teleworking and I’m attempting to login with my –Pr (Privilege) account, however, I’m unable to login neither with credentials nor with my PIV card and PIN.  What do I do?

Applicable fixes:

1. If you have logged in in the past with your –PR (privileged) account; login with your PIV card and standard UserID account, open a command prompt (Start -> All programs -> Accessories -> Command Prompt).   Issue this command at the DOS prompt:  gpupdate/force and press Enter. When finished updating group policy, restart the system or log out and attempt to log back in with your –PR (privileged) account.
2. If you have a VPN account, go ahead and establish a VPN session. After logging in with your PIV card and standard UserID account, lock your screen and  Switch User.  Then login with your PIV card and in the username hint box enter your privileged UserID.
3. If you don’t have a VPN account, login with your PIV card and standard UserID account and contact the Service Desk or your local IT support for remote assistance via by phone or BeyondTrust(Bomgar).
4. If the matter is not urgent and can wait, then the next time you are in the office and on the DOI network login once with your PIV card (specifying your -PR account in the Username hints box) to cache your credential for future needs.

I’m attempting to login with Local Admin Credentials or an interactive service account to my TFA enforced machine policy while I’m in the office and I get this Windows message prompt.  What should I do?

Applicable fixes:

1. Login with your PIV card and your domain privileged account to perform administrative tasks.
2. For COUAs only – In ADUC, add the system to the temporary security group –IGSU DI-TFA-Computer Exception TMP.  Update Group Policy and restart. When the system comes back up you should be able to log back on with local admin account or the service account’s credentials.  When you have finished performing the necessary tasks as this account, remove the system from the exception group.
3. Remove the system from network temporarily, wait 15-20 minutes, then update group policy and restart.  If it still does not allow you to login with local admin or service account, wait a few more minutes and try again.

Personal Identification Number (PIN) and Password:

What is a DOIAccess PIN?

A Personal Identity Verification (PIV) Personal Identification Number (PIN) is the number that you use with your card to validate you are who you claim to be. The card and the PIN are legally binding! The PIN can be any 6 to 8 numbers in length. PINs can ONLY be numbers. It is better to use a longer PIN if possible. Do not make the PIN a number associated with you or your family or one that can be easily guessed by finding out about you (e.g. date of birth, phone number, family dates of birth, etc.). If you use a birthdate or phone number make it one of your favorite deli, rock star, movie star, or author not directly traceable to you.

How do I change my PIN if I don’t remember it?

The only way to change the PIV PIN if you have forgotten it or are locked out, is to go to one of the GSA or bureau hosted credentialing centers or light activation stations set up around the United States. Check with your bureau/office help desk for specific options. Click here for step-by-step instructions. Make a conscious effort to remember your PIN. Do not write it down anywhere, especially not on your PIV card. Make sure the PIN is not accessible to anyone else. You are legally liable for any actions taken with your PIV and PIN, so never lend it to other people or tell them the PIN. Treat it at least as securely as you would your driver’s license and debit/credit card and PIN

How often do I have to change my PIN?

Never, unless you suspect it has been compromised. A few of the advantages of using your PIV card and PIN are that you only have to use numbers for your PIN and you never have to change your PIN unless you think it has been compromised. If you suspect someone else knows your PIN report it immediately and change it. You are legally liable for all actions taken with your PIV and PIN.

How many times can I try my PIN before I get locked out?

You have 6 tries to enter your PIN. After the 6th consecutive, unsuccessful attempt the card is locked permanently. See How do I change my PIN if I don’t remember it? for instructions on resetting the PIN. It is important to memorize the PIN and use your card regularly so that you don’t forget it.

Will a locked PIN get released after a period of time?

No. A locked (blocked) PIN does not automatically get released. However, locking the card/PIN does not lock your network account. You can contact the USGS Service Desk (servicedesk@usgs.gov or 703-648-HELP(4357)) for assistance with temporarily using a username and password until you get the PIN reset. However, the card itself is disabled until the PIN is reset. See How do I change my PIN if I don’t remember it? for instructions on resetting the PIN if your card becomes locked. It is important to memorize the PIN and use your card regularly so that you don’t forget it.

Is there a way I can test my PIN before attempting to logon to a computer or VPN?

Yes, go to https://wiki.doi.net/cardcheck/ to test.

If I know my DOIAccess PIN, can I change it without going to a GSA Credentialing Station?

Contact your local Card Management Sponsor to inquire if there is a local or nearby Light Activation Station. If none are available you will need to go to a GSA Credentialing Station.

Will I still have to remember my username and password?

For now, yes. If you remember to bring your PIV card to work, you will not have to use a login/password to login to the network. However, if you forget your PIV card you will need to remember your password to login to the network without your PIV card. This password will still have to meet the Department’s requirements for length, complexity, history and it will still have to be changed every 60 days. You will have to remember the passwords for non-PIV enabled applications like Quicktime, FPPS, etc. and any bureau specific applications that require passwords.

How do I change my AD password when I’m logged in with my smart card?

You can change your AD password by pressing  CTRL ALT DEL, however the procedure is a little different now.

Windows 10:

1. While connected to the DOI network, press CTRL ALT DEL and select Change a Password…
2. The default selection will be to change the  smart card PIN, which is disabled. Instead, click Sign-in Options.
3. Click the  button which will display the AD credentials you’re currently logged in with.
4. Type in your current AD password, then type in your new password twice and click   or press Enter.

You can also change your AD password by visiting https://ecomputing.usgs.gov/apps2/security/passwordportal

How do I change an expired AD password on a TFA enforced computer?

If your Active Directory password has expired you will see a message informing you that you must change your password before you can log on. If you know your current AD password, follow the steps below to change it. If you do not remember your password you will need to reset it.

Windows 10:

1. When you are prompted with the message that “Your password has expired and must be changed…” click OK.
2. Click the key icon under “Sign-in options” to switch to the username/password prompt.
3. Type your username and current (expired) AD password then press Enter.
4. You will see a message stating “Your password has expired and must be changed.” Click OK.
5. At the next prompt enter a new password and type it a second time in the confirmation field then press Enter.
6. You should receive confirmation that your password has been changed. Click OK.
7. A message will then be displayed that “you must use a smart card to sign in.” Click OK.
8. Click Switch User and select the icon displaying your smart card. Enter your PIN to logon.

How do I reset my AD password if I forgot it?

If you don’t remember your Active Directory password, you can reset it simply by using your smart card and visiting https://ecomputing.usgs.gov/apps2/security/passwordportal

Forgotten, Lost or Stolen Cards:

What happens if I forget my PIV card?

For short term non-PIV access, there will be an option to login to the network with the same password (changed every 60 days) that you currently login with. If you forget your PIV card one day, contact your local IT support or call the USGS Service Desk (servicedesk@usgs.gov or 703-648-HELP) for assistance.

What happens if my PIV card is lost or stolen?

You are legally liable for any actions taken with your PIV and PIN. A lost or stolen card is a security breach. Immediately report the card lost or stolen according to your local Card Management Sponsor or the USGS Service Desk (servicedesk@usgs.gov or 703-648-HELP(4357)) to initiate the termination of the card and to initiate a replacement card.

What happens if I can’t find my card?

This falls into two situations; one if you think you can find it and a second one if you have looked everywhere and are sure it is permanently lost.

If you have an idea of where your card is then contact your local Card Management Sponsor so that your card can be suspended and use alternative login procedures as described under What happens if I forget my PIV card? Once you find your card you will need to contact your Card Management Sponsor to have the card re-enabled.

If you are sure it is lost follow the steps under What happens if my PIV card is lost or stolen? If you have no chance of finding it, a card reprint (at a cost of $30 to your bureau) will be requested and your lost card will be terminated.

How do I find out who my card Sponsor is?

You can lookup your sponsor in the DOIAccess App. If you still cannot locate your Sponsor, contact the USGS Service Desk (servicedesk@usgs.gov or 703-648-HELP(4357)) for further assistance.

Card Maintenance:

What happens if I have a name change?

The name change process for:

• Federal employees is through Human Resources department. The employee completes an SF-50 and submits it to the local HR office.
• Contract employees contact the contract supervisor and their government Contract Officer Representative (COR) who will contact the bureau USAccess Sponsor

What happens if my card stops working?

• Verify card status, by testing it at https://wiki.doi.net/cardcheck/ (To test, you must be on the internal network or VPN)
• Record, print or take a snapshot of the answer
• Contact your local IT support or the USGS Service Desk (servicedesk@usgs.gov or 703-648-HELP(4357)) for further instructions.

Can an employee have more than one PIV card?

No, only one DOI PIV card is issued to each employee.

Certificate and Card Expiration:

What is a certificate?

A certificate is an encrypted text file, stored in the gold chip on each DOIAccess card. All PIV cards have more than one certificate on them and all certificates must be updated every three years. However, you may only see one certificate come up for selection when you use the card to authenticate to your system.

Why do I see multiple certificates when I login?

There are actually four PKI certificates and they are stored in an area on the credential called the PIV container. The PIV container is in the circuit chip visible on the front of the credential. The four certificates used for various functions are 1) Digital Signature, 2) Encryption, 3) PIV Authentication and 4) Card Authentication.

How do I reauthorize my certificate(s) before they expire?

If your email address is correct on the PIV card you will receive an email from HSPD12Admin@usaccess.gsa.gov notifying you that your certificates require re-authorization before they expire. Emails are sent at intervals 90, 60, 30, 15, 10, 5, 3, 2, and 1 day(s) prior to the expiration of the certificates. It is your responsibility to reauthorize your certificates before they expire. Check with your bureau help desk for options. Make the appointment the first time you receive the notice. DO NOT leave this to the last minute as it may be difficult to get an appointment on short notice.

What happens if my certificate expires?

The credential is terminated and will no longer work and you must contact your Card Management Sponsor.

When does my DOIAccess card expire?

The expiration date of the card is written on the front of the card. The certificates on the card expire and must be renewed every 3 years while the physical DOIAccess cards expire every 5 years and must be completely replaced. Do not leave either PIV certificate or PIV card renewal to the last minute.

Applications:

What applications will still require passwords?

Until they are PIV enabled, many applications still require use of login ID and password, including but not limited to:

• Quicktime
• FPPS
• Citrix
• Bureau specific applications that require passwords

Can Citrix or similar Virtual Desktop Environment (VDI) be used with PIV for remote access?

Citrix is one of the applications that will be PIV enabled in the future.  Citrix is a remote access application that views screenshots of data and applications on servers inside DOI data centers. Some federal agencies have PIV enabled Citrix. Each bureau with Citrix farms will need to configure Citrix for PIV access as part of the 3-5 year plan to move all applications to PIV authentication.

When I login to Windows, will applications like SharePoint still use the ‘Use Current Logon Credentials’ feature that acts somewhat like single-sign-on?

Yes. Whether you use your PIV card or your username and password, the “pass through authentication” in SharePoint and similar applications and websites will not change as long as you are logged in frominside DOI facilities. From within DOI facilities DOIAccess credentials will continue to be passed to those sites/applications.

How does TFA affect BeyondTrust (Bomgar)?

During a support session, a support representative may need to operate with administrative rights in order to effectively troubleshoot the remote computer. If the client is connected to a DOI network, smart card credentials must be used. In order for the representative to pass his or her smart card credentials to the client, the Bomgar virtual smart card representative service must be installed on the representative’s computer. Likewise, the virtual smart card customer service must be installed on the client’s computer. All of these services must be installed prior to starting a support session. For more information see http://tst.usgs.gov/enterprise/bomgar-enterprise-remote-support/

Mobile Devices, Remote Access and VPN:

Can I use my personal equipment to remotely access the DOI network for work activities?

DOI’s Security policy and Control Family documentation explicitly prohibits external access (including the use of non-GFE (non-Govt. Furnished Equipment or Personally Owned Equipment)) to any DOI systems.

The use of personally owned devices to access internal O365 resources with your USGS.GOV account is prohibited, including, but not limited to: 

• Microsoft Teams 
• Outlook Email 
• SharePoint 
• Office.com app 

The Department’s only authorized solution for receiving government email on a personally owned device is the MaaS360 Personally Owned Equipment (POE) Application Container. This container is an application installed on the user’s personal mobile device. This container creates a separate encrypted, segregated operating space that allows the user to securely process government information

When logging into VPN I get this error: “Invalid username or password. Please re-enter your user information.” Why?

The wrong username is being passed to the VPN when using your PIV Card. This typically indicates that either you are trying to use the wrong certificate or the PIV Card is not properly configured and may need to be updated in USAccess. Try another certificate and if that doesn’t work call the service desk.

If you are presented with multiple certificates and are unsure about which one to use, you can highlight one and click Click here to view certificate properties… to see what the certificate can be used for.

The following images show what the correct one will look like. The numerical sequence should match what is listed in the General tab as shown here:

It will also list ‘Digital Signature (80)‘ in the Key Usage information on the Details tab.
TODO

How does a remote user cache their credentials after having their certs updated or receiving a new card?

After having the certificates on their card updated, a pc user should logon with their AD credentials and start a VPN session. Once connected to VPN, they can lock their computer and log back in with their PIV card or do a run-as and use the PIV card. This should cache their new credentials.

To immediately cache your password on a Windows 10 system while connected to vpn:

1.  Right click on the Start Icon, and click RUN.

2.  Type in, runas /smartcard cmd  and then click OK.

3.  A command window will open.

4.  Enter your PIN when requested. As you enter your PIN, the prompt will appear blank as you are typing.

5.  A new command window will open with your Smartcard cached. You may close this window after it pops up.

Need More Help?:

Who do I contact if none of these items answer my question?

Contact the USGS Service Desk:
servicedesk@usgs.gov
http://servicedesk.usgs.gov/
703-648-HELP(4357)