Skip to main content

Two-Factor Authentication (SecurID)

Description of two-factor authentication. How to request a software or hardware key fob. 

This article applies to: Managed Servers


Two-factor authentication is used to describe any authentication mechanism where more than one thing is required to authenticate a user. It is required to access servers in the Extra Tier and for some high-security applications.

Traditional authentication schemes used user name and password pairs to authenticate users. This provides minimal security, because many user passwords are very easy to guess.

Two-factor authentication requires:

  1. Something you know: A password.
  2. Something you have: A key fob. The key fob is a compact electronic device or software application which displays a number. By entering this number into the system when you attempt to authenticate (log in), you prove that you are in possession of the fob.

The number displayed by the fob changes frequently, usually every 30 or 60 seconds. The system which you are authenticating to knows the number which should be on your screen. If the numbers match and your password is correct, you are authenticated.

See Wikipedia T-FA for another definition.

Request a Key Fob

Hardware or software key fobs are available for people who need to log into servers in the Extra Tier and for some high-security applications.

Request a key fob: Area or unit managers send email to Systems Support at systems-support@cornell.edu. Include the name of the server or software application you're going to access.

  • The software key fob is the RSA SecurID Software Token software which runs on your iPhone, Android or Blackberry device. The application displays the one-time token code.
  • The hardware key fob is a small device, about the size of a USB drive which displays the one-time token code.

How to Set up a PIN: 

How does the key fob work? The key fobs have 6-digit displays which change on 60-second intervals. The 6-digit number may only be used once per authentication attempt (to avoid sniffing and replay attacks). In addition to the number displayed, the user must also use a 4-8 digit PIN, which is pre-pended to the number displayed. The PIN is set the first time the authenticator is used, and is known only to the owner of authenticator.

  • For key fobs: PIN is pre-pended to the number displayed. 
  • For soft tokens: PIN is entered into the app before your passcode is displayed. 

Was this page helpful?

Your feedback helps improve the site.

Comments?