Common MFA Prompts and Issues
Table of Contents
This article pertains to SafeNet MFA mechanisms and their use on login nodes, JLab Web Single Sign-On, JLab VDI clients, and the Cisco VPN.
- For access to Scientific Computing resources like ifarm and qcdi from login nodes, see this article
- For logging into the JLab Web Single Sign-On page in general, follow the instructions on your screen as there is not yet an article.
- For connection to the VPN in general, see this article
- For connecting to the VDI in general, see this article
- For Microsoft Office 365 MFA, see this article
How Do I Sign In on MFA Systems? | Back to Top |
Username: JLab CUE Username
Password: PIN associated with token, followed by OTP from token
You username will be the same one you use for the 'jlab' wifi and jlab.org.
Your "password" will be the 6-8 digit PIN that you set for your token, followed by the 6-digit auto-generated OTP from your token. No space, dashes, etcetera should be put in between.
- If your token is in MobilePASS, MobilePASS+, or Google Authenticator: the OTP will be displayed in your app and you will have to type it in manually.
- If you use a Yubikey OATH (hardware) token: you can tap the golden area of the Yubikey to automaticaly enter the 6-digit OTP
MFA for Remote Access via a Terminal | Back to Top |
For more info on connecting to ifarm and qcdi from the login nodes, please see this article.
Many of the prompts in this section will also appear in a variety of graphical login scenarios, but may be cut off or have altered error messages and behaviors. As this article is updated, more screenshots will be added, but in the meantime this section should help explain a lot of cases outside of its own.
Ordinary MFA password prompt
Login nodes, such as login.jlab.org's nodes, are one example of a JLab system which requires MFA.
What to do: Enter your token's 6-8 digit PIN, followed by the 6-digit OTP generated by your token.
Here, a user successfully authenticates using MFA when connecting login.jlab.org via SSH.
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
J E F F E R S O N L A B
------------------------------------------------------------------------------
This computer is owned by the Federal Government or is connected to a
network owned by the Federal Government. It is for authorized use only.
Users have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
site, Department of Energy, and law enforcement personnel, as well as
authorized officials of other agencies, both domestic and foreign. By using
this system, the user consents to such interception, monitoring, recording,
copying, auditing, inspection, and disclosure at the discretion of authorized
site or Department of Energy personnel.
Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
stated in this warning.
------------------------------------------------------------------------------
Red Hat Enterprise Linux release 9.6 (Plow)
Last login: Thu Oct 30 15:49:06 2025 from 129.57.115.162
[user@login#]~%
'Please re-authenticate'
Sometimes, you may be prompted to "re-authenticate using the next response".
This is because the OTP entered after your PIN was not an OTP expected at the time, but was one which may have been expected in the relatively recent past/near future. A technician will see a log of "outer window authentication"
What to do: try entering your PIN again, followed by the next OTP available to you from your token.
On apps you might wait for the timer to end or press refresh/generate passcode, and on hardware tokens you will just tap the golden area again
For example:
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Please re-authenticate using the next response: (here, the user tries again: <PIN><new OTP>)
Success
If the OTP happens to be correct upon re-authentication, the user will be let in, seeing something like this:
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Please re-authenticate using the next response: (here, the user tries again: <PIN><new OTP>)
J E F F E R S O N L A B
------------------------------------------------------------------------------
This computer is owned by the Federal Government or is connected to a
network owned by the Federal Government. It is for authorized use only.
Users have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
site, Department of Energy, and law enforcement personnel, as well as
authorized officials of other agencies, both domestic and foreign. By using
this system, the user consents to such interception, monitoring, recording,
copying, auditing, inspection, and disclosure at the discretion of authorized
site or Department of Energy personnel.
Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
stated in this warning.
------------------------------------------------------------------------------
Red Hat Enterprise Linux release 9.6 (Plow)
Last login: Thu Oct 30 15:49:06 2025 from 129.57.115.162
[user@login#]~%Failure
If the OTP is still not correct upon re-authentication, the user will be stuck at the login prompt, seeing something like this:
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Please re-authenticate using the next response: (here, the user tries again: <PIN><new OTP>)
(user@login.jlab.org) Please re-authenticate using the next response: (here, the user tries again: <PIN><new OTP>)
The CST Service Desk can help resolve this issue most effectively over the phone (757-269-7155) or in person (2nd floor F-Wing of CEBAF Center) 8am-4:30pm Monday-Friday. Technicians are able to attempt to resync your token or help you set up a new one which is in sync.
Passwords all the way down
If an incorrect PIN or OTP is entered, the user will be given another change to enter a correct PIN/OTP combination.
What to do: try entering your PIN again, followed by the next OTP available to you from your token.
Ensuring it is the correct PIN: Each MFA token has a 6-8 digit PIN associated with it, which is distinct from the PIN for other MFA tokens, and distinct from SmartCard PINs. Any of these PINs could coincidentally be the same series of numbers, depending on what the user chose when setting the PIN. All of these PINs periodically expire (for MFA tokens, users are prompted upon login to change their PIN independently).
Getting the next OTP: On apps you might wait for the timer to end or press refresh/generate passcode, and on hardware tokens you will just tap the golden area again.
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Password: (here, the user tries again: <PIN><new OTP>)
...
(user@login.jlab.org) Password: (here, the user tries again: <PIN><new OTP>)
'Please respond to challenge'
JLab MFA tokens are event-based or time-based, so Challenges are not supported for JLab tokens. If you see this prompt, it is most often caused by an incorrect username.
What to do: double check that you are using the correct username
If you are using your correct JLab CUE username, please contact the CST Service Desk by emailing helpdesk@jlab.org, calling 757-269-7155, or visiting in person at the 2nd Floor F-Wing of CEBAF Center (8am-4:30pm Monday-Friday).
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Please respond to the challenge: ########
(user@login.jlab.org) Password: (here, the user tries again: <PIN><new OTP>)
...
(user@login.jlab.org) Please respond to the challenge: ########
(user@login.jlab.org) Password: (here, the user tries again: <PIN><new OTP>)
PIN change prompt
JLab MFA tokens prompt themselves to be changed every 180 days or after being reset by an administrator. After the conditions for a PIN change are met, a PIN change prompt for the token will appear when the user attempts to login using that token.
What to do: type a new 6-8 digit pin, then press enter
The PIN you type will appear in plain sight instead of invisible or obscured text, unlike most passwords.
If you get continuously prompted to set this PIN or have issues with it, please contact the CST Service Desk by calling 757-269-7155, or visiting in person at the 2nd Floor F-Wing of CEBAF Center (8am-4:30pm Monday-Friday).
> ssh user@login.jlab.org
(user@login.jlab.org) Password: (here, the user enters: <PIN><OTP>)
(user@login.jlab.org) Please enter a new PIN. (here, the user types a new 6-8 digit pin, then presses enter)
MFA on JLab Web Single Sign-On | Back to Top |
Ordinary Login Procedure
On the JLab Web Single Sign-On page, click on the link in "Click here to use a multi-factor authentication method"
Then, choose the SafeNet MFA mechanism: "Log In with a SafeNet/MobilePass token"
For "Username", enter your JLab CUE username.
For "OTP Token", enter your MFA token's PIN, followed by its 6-digit OTP.
PIN change prompt
JLab MFA tokens prompt themselves to be changed every 180 days or after being reset by an administrator. After the conditions for a PIN change are met, a PIN change prompt for the token will appear when the user attempts to login using that token.
What to do: in the 'Response' box, type a new 6-8 digit pin, then press login
The 'Username' should be your normal JLab CUE username
The JLab Web Single Sign-On page will display two messages when prompting for a PIN change. The "Login Failure: OtpChallenge" message can be ignored as JLab tokens do not support challenges.
If you get continuously prompted to set this PIN or have other issues with it, please contact the CST Service Desk by calling 757-269-7155, or visiting in person at the 2nd Floor F-Wing of CEBAF Center (8am-4:30pm Monday-Friday).
Acronyms
- MFA: multi factor authentication
- Systems using MFA require you to present two or more verification factors to access them
- CUE: common user environment
- Your JLab CUE username and password are the ones you use to sign into jlab.org
- OTP: one-time-passcode
- This is the 6-digit code generated by your MFA token
- (OTP) PIN: one-time-passcode personal identification number
- Each MFA token you set up will have a 6-8 digit PIN associated with it
- While PINs may have the same numbers, they are each distinct, and distinct from your Smart Card login PIN(s)
Variations on terms used here, to help with search results: 2FA, multi-factor authentication, two factor authentication, 2 factor authentication