RSA Token

RSA is a multi-factor authentication (MFA) technology that is used to protect network services. The RSA authentication mechanism consists of an assigned hardware or software "token" that generates a dynamic authentication number code at fixed intervals. Users provide the unique number code when logging into a protected service from any network outside the State network.

For any questions regarding using RSA for working remotely, please discuss with your supervisor or refer to your agency's policy.

Which RSA Token is right for you?

To request an RSA Token, go to https://mytoken.ny.gov to be directed to the Self-Service Console.

Enter your email address ([email protected]) in the User ID box.  Click Ok. 

Choose your Authentication Method by Selecting Password from the dropdown and Click the Log On button.

Enter your Office365 Password (this is the same password you use to log onto your computer and email) and select Log On.

Click the Set-Up link to set up your Security Questions. Setup is a prerequisite to token approval.

Please answer the five security questions (answers are not case sensitive). Select "Submit Your Request." Security questions allow you to unlock your account without assistance and provide future verification of user authentication.

Select "Request a new Token." 

Software Token

1. Choose "Software Token" from the drop-down menu. 
2. Select the radio button next to the operating system that powers your phone. The RSA token can be imported to an Android or iPhone. Your specific Service Desk can assist in determining your operating system. Users should choose a token profile that begins with the word "Enterprise" followed by their device operating system.
3. After selecting your device, scroll down to create a pin for your token. A PIN must be 8 numeric characters, cannot start with a zero and cannot be consecutive either forward or backward. For example, you should not use 12345678 nor 87654321.  
4. Include a reason for the request (e.g., "I have a new phone" or "I need this for remote access").
5. You will receive confirmation once your request is successfully submitted. 

Hardware Token

1. Choose "Hardware Token" from the drop-down menu. 
2. Enter a reason for the request (e.g. "I need this for remote access").
3. Create a pin for your token. A PIN MUST be 8 numeric characters.
4. Confirm the shipping address for the token is accurate. Make any changes necessary to ensure on-time delivery of your token. If you are in a multi-story building, please include a floor and room number.
5. Your Hardware Token request is complete when you receive confirmation your request is submitted. 
6. Once your token request is approved, you will receive an email notification from [email protected] advising you of your token status. Please retain this email until you receive your token. The enablement code will be required to activate your token. 

Call the ITS Service Desk at 1-844-891-1786 to validate your identity. Once your identity is validated, a ticket will be opened to have the token approved.

Software Tokens

Using RSA to Access Secure Email via Outlook Web Mail 

1. Go to https://login.microsoftonline.com. Enter your work email address to be directed to the Single Sign-On page.
2. Enter your work email address and password. Click "Sign In."
3. Open the RSA app on your mobile device and enter your personal identification number (PIN) when prompted. Your mobile device will generate an eight-digit token code. Enter the eight-digit token code when prompted.
4. You are now connected to your Outlook Web Mail.

Using RSA to Access Secure Email via the Microsoft Outlook App 

First-time software token users are required to install the Microsoft Outlook App on mobile devices and add your email account (refer to Steps 1 and 2). Users who have already installed the Microsoft Outlook App should proceed to Step 3.

1. Install the Microsoft Outlook App on your mobile device. Note: Android device users may be prompted to create an 8-digit personal identification number (PIN) when installing the App.
2. Enter your work email address and click Add Account.
3. Enter your work email address and password. Click Sign In.
4. Open the RSA app on your mobile device and enter your personal identification number (PIN) when prompted. Your mobile device will generate an eight-digit token code. Enter the eight-digit token code when prompted.

Note: Once the app is installed and your email account has been added, you will occasionally be prompted to re-enter your credentials and RSA token code to access email via the app. Refer to steps 3 and 4.

Hardware Tokens

Enabling Your Hardware Token and Setting Your PIN

1. Once you have your hardware token, open the email notification you received from [email protected]. If you misplaced or deleted this email, contact the Enterprise Service Desk or your agency's Service Desk for assistance.
2. Verify that the serial number in the email matches the serial number on the back of the token you received. Your token serial number is the 9-digit number on the back of your RSA hardware token. It can also be found in the self-service console by clicking view details next to the token image. Note: If the number on the back of the RSA hardware token does not match the serial number listed in the email, you will need to notify your specific Service Desk.
3. Click on the token enablement link listed in the email notification to go directly to the Self-Service Console. Enter your User ID (your work email address), the enablement code identified in the email, and your token serial number. Click OK.
4. You will receive a message stating that your token is ready to use. Click OK.
5. Click "Create PIN." 
6. Create a new personal identification number (PIN) that is 8 digits in length. All PINs MUST be 8 digits, and PINs cannot start with a zero (0). Click "Save."

Using RSA to Access Secure Email via Outlook Web Mail 

1. Go to https://login.microsoftonline.com. Enter your work email address to be directed to the Single Sign-On page.
2. Enter your work email address and password. Click Sign In.
3. Enter your RSA personal identification number (PIN) followed by the token code. Do not put any spaces or dashes between your PIN and the token code.
4. You are now connected to your Outlook Web Mail.

Using RSA to Access Secure Email via the Microsoft Outlook App 

1. From the App Store on your mobile device, install the Microsoft Outlook App. Note: Android device users may be prompted to create an 8-digit PIN when installing the App.
2. Enter your work email address and click "Add Account."
3. Enter your work email address and password.  (This is the same email you use to log onto your work computer.) Then click "Sign In."
4. Enter your RSA passcode. This number is your personal identification number (PIN) followed by the dynamic token code found on your hardware token. Do not put any spaces or dashes between your PIN number and the token code.

Note: Once the app is installed and your email account has been added, you will occasionally be prompted to re-enter your credentials and RSA token code to access email via the app. Refer to steps 3 and 4.

What is a PIN?

A PIN (Personal Identification Number) is created by the user to log in to the RSA system to access the token. A PIN is 8 digits and does not start with zero.

What if I changed or forgot my PIN?

If you forget or need to change your PIN, log into the Self-Service Console using your email address and password, then click "Troubleshoot," select "I forgot my PIN." At the next screen, enter your new PIN and confirm.

What is a Token Code?

For a software token (e.g., the RSA app), your token code is the eight-digit number generated after entering your PIN on the RSA app. On your software token, the token refreshes every sixty seconds. If you have difficulty logging in after providing the token, ensure the correct PIN was entered.

Your hardware token generates a random, six-digit number every sixty seconds. Your token code in this case is your PIN followed the generated number (the six random digits) from the hardware token, with no spaces between them.

What is Multi-Factor Authentication (MFA)? 

Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login.

How do I request a new token?

Log in to https://mytoken.ny.gov using your NYS email and password, then refer to the “Requesting an RSA Token” section above for the steps on requesting a token.

Should I use a hardware or software token? 

Software tokens are the preferred method. 

How do I troubleshoot my PIN?

You may test to see if you remember the correct PIN by going to the Self Service Portal at https://mytoken.ny.gov. Log in using your email address and password, click "Test,” then follow the onscreen instructions.

I got a new phone; how do I request a new token?

Users should not request a new token if they have a previously assigned software token on their old phone.

Instead, users can have the token from their old phone redistributed to their new phone. Call the NYS Helpdesk at 844-891-1786, and after proper verification, the NYS Helpdesk or appropriate Zone Tech can redistribute the token to the user's new phone.

I am locked out of my RSA account, what do I do?

Go to https://mytoken.ny.gov/, and do not log in. Click on "Troubleshoot RSA Token." Enter your email address and answer the identifying questions. Upon submission of correct answers, your RSA account will no longer be locked.

What is "Next Token Code Mode" and what do I do about it?

After entering too many incorrect passcodes, you may be required to enter a next token code. If using a software token, wait and then enter the next available token code shown. If using a hardware token, wait and then enter the next available token code shown (random 6 digits). Do not enter your PIN + the token code.

How do I return an expired or no longer needed Hardware Token?

By Interagency Mail:
Agencies or individuals using interagency mail should return hardware tokens to the following address:

Attn: RSA Admins
6 Empire State Plaza Swan St Bldg  
Core 3, Floor 2, Rm 236B
Albany, NY 12223

By Regular US Postal Service Mail:
Agencies or individuals not using interagency mail should return tokens to the following address:

Attn: RSA Admins
P.O. BOX 2062
Albany, NY 12220

The RSA Token application has been rebranded and there are application and icon (see image below).

RSA App Icon

Old Icon	New Icon

If you have any questions regarding the rebranded RSA application token icon, please contact the ITS Service Desk directly through ITSM or email [email protected].