Skip Navigation Links
Homeland Security Presidential Directive 12

Home Newsroom Help Contact Us
Credentialing Centers
Using Your LincPass
What Is Two-Factor Authentication?
Authentication can be based on what you know, such as a password or a PIN, what you have, such as a LincPass, or what you are, such as biometric data (like a fingerprint). “Two-factor authentication” means using two of these authentication methods (LincPass + PIN) to increase the assurance that you are authorized to access USDA systems. Due to the inherent security risks in mobile computers, USDA is making implementation of two-factor authentication for laptops a priority.

How To Use Your LincPass

As part of ensuring national security, Homeland Security Presidential Directive 12 (HSPD-12) mandates that Federal agencies screen their employees and contractors and issue credentials —“smartcards”— that meet National Institute of Standards and Technology (NIST) guidelines by October 2008. In USDA, the smartcard is called a LincPass. NIST’s term is “personal identity verification” or PIV card.

PIN: Personal Identification Number, 6 to 8 digits, which you choose and enter when you first activate your LincPass. Your PIN allows you to access and use your card; your card allows you access to the network. (Any temporary PINs that come to you via email must be changed when the LincPass is first issued.)

Card reader: A device built in, added, or connected (e.g., via USB port) to your computer that reads smartcards.

Card reader software: The client application installed on your local computer that integrates the card with your agency’s network.

HSPD-12 enabled account: A user account on an agency network that is integrated with HSPD-12 and enterprise services. Your agency will notify you when network accounts have been enabled for LincPass use.

UPN: User Principal Name. Used by agency networks as the user ID for HSPD-12 enabled accounts.

Two-factor authentication: Authentication can be based on what you know, what you have, or who you are in the agency. “Two-factor authentication” means using two of these authentication methods (LincPass + PIN) to increase the assurance that you are authorized to access USDA systems.

LincPass enrollment station: A fixed enrollment station is a permanent location with a GSA-provided computer, equipment, and operator who handles enrollment and activation of USDA LincPass cards (also handles PIN resets). Mobile enrollment stations are temporarily assigned to a series of locations for the purpose of enrolling staff, but cannot handle PIN resets.

HSPD-12 Security Officer: The person designated by your agency with responsibility for responding to LincPass security-related events, such as lost or stolen cards, card suspension & activation, etc.

Network credentials: The user ID and password you use to access your agency’s domain without a LincPass.

Certificates: Encrypted sets of electronic credentials loaded on your LincPass.

Your LincPass is your new USDA personal identity verification card. This page explains how to use your card and PIN to access and protect USDA network and computer resources.
This page includes:
What You’ll Need to Start
Everyday Use
Caring For Your LincPass
LincPass Issues
LincPass Maintenance
ActivIdentity Client Card Reader    Software
Where to Go for Help

What You’ll Need to Start
• LincPass (USDA’s smartcard)
• Card reader and drivers installed on your    computer
• Card reader software installed on your    computer
• HSPD-12 enabled account on your agency’s    network

Everyday Use

Logging In
1. Start your computer.
2. When the Windows login message box    appears,

insert your card in your computer’s card reader.


3. Click OK at the “government system” warning. In the login dialog box, enter your 6- to 8-digit PIN.

After you log in, an ActivClient icon in the Windows system tray (lower right) will tell you whether or not the card is being read.
Card In: Card Out:

Locking & Unlocking Your Computer
By default, removing the LincPass from the reader will automatically lock the workstation. However, your agency’s network policies dictate the process for locking and unlocking your computer. Your agency will provide you with more detailed information. Don’t forget to take your card with you when you leave your workstation.

Logging Off Your Computer
From the Windows Start menu, click “Shut Down” (or “Log Off [username]”), then follow the standard procedure for Windows.

TIP: Don’t remove the LincPass while shutting down the computer because the automatic “lock workstation” or “log off user” feature will override the shutdown procedure. Wait until the computer sequence is finished before removing your card.

Caring for Your LincPass
Your LincPass is intended to last 5 years and is an expensive and time-consuming process to replace if lost or damaged. You should guard your card the way you do your driver’s license or house key. Protect it from excessive heat or cold, scratches, bending, and magnets. Also, some types of plastic badge holders will degrade the ink on the face of the card, so only use approved badge holders or those provided by your agency.
If you notice your card reader is damaging your card, get your card reader replaced — it’s much less expensive than the card. A LincPass is considered government property and must be shown to security personnel upon request and surrendered upon employee or contractor termination.

NOTE: Get in the habit now of taking your LincPass with you whenever you leave your desk, since your LincPass may soon be your official ID for building or office access. Until your location’s access control is integrated with HSPD-12, you may need to carry both your LincPass and your building access card.

LincPass Issues
Forgot LincPass
If you don’t have your LincPass (but it’s not lost or out of your control), during the transition period, you can log into your network using your network credentials until you have your LincPass again. Remember to follow the procedures described above in the LincPass vs. Network Credentials section. Once the LincPass is required and you forget to bring it, follow your agency’s policy on gaining temporary access.

Forgot PIN / Blocked PIN
If you make 6 unsuccessful attempts in a row to type your PIN, it is automatically locked and will need to be reset. If you forget your PIN, you must first lock it by making 6 unsuccessful attempts. To get your PIN unlocked, take your LincPass to the nearest activation station and ask to have your PIN unlocked. Depending on the location, you may need to make an appointment first. The activator will ask you to verify your fingerprint (to ensure the card belongs to you), and to enter a new PIN.

Change PIN
If you currently do not know your PIN and want to reset it, please book an appointment at the nearest Fixed Center or Light Station and perform a PIN reset at the station.

If currently know your PIN and would like to change it, use the ActivIdentity ActivClient. You can access the PIN Change Tool from the Start > Programs > ActivIdentity > ActivClient| menu, or from the ActivClient user console, which is available from the same menu or by double-clicking on the ActivClient icon in your system tray.

Lost/Stolen LincPass
Report your lost/stolen LincPass to your designated HSPD-12 Security Officer,
who will suspend or revoke your card depending on the circumstance. If you find your card within 1-10 days, take it to your designated Security Officer to reactivate it. After that time, if you don't find it, the Security Officer will revoke the card and you will have to re-enroll for a new LincPass. Use your network credentials in the interim until your new card arrives and is activated. If your building’s physical access control system uses a LincPass for access, you may also need to request a temporary or visitor’s card to get into your work location.

If you find someone else’s LincPass, give it to your HSPD-12 Security Officer, who will either get it to the right person or send it to the “Return to” address on the back of the card.

Change to Visible Information on LincPass
If information about you that appears on the face of your LincPass changes, (e.g., you change your name), first notify your sponsor, who will request a new card, then give your current (now revoked) card to your Security Officer for proper disposal. You will have to go through the enrollment process again. Use your network credentials in the interim until your new LincPass arrives and is activated. If your building’s physical access control system uses a LincPass for access, you may also need to request a temporary or visitor’s card to get into your work location.

Damaged LincPass
If your LincPass is damaged (e.g., melted, bent, etc.), give it to your HSPD-12 Security Officer, who will revoke the card and ask your sponsor to mark in the HSPD-12 system that you need a new card. Your card will have to be reprinted, meaning you will have to use your network credentials in the interim until your new card arrives and is activated. If your building’s physical access control system uses a LincPass for access, you may also need to request a temporary or visitor’s card to get into your work location.

Employment Status Change and Your LincPass
If your employment status changes from active to suspended, the HSPD-12 system will receive the status change and automatically suspend your LincPass.

When an applicant’s employment status in the HR system changes from “suspend” to “terminate,” the HSPD-12 system automatically revokes the LincPass. Give the LincPass to the designated HSPD-12 Security Officer for proper disposal.

If a former employee returns to employment status in the HR system (terminate to active), the newly activated employee will need to be sponsored for a new LincPass and go through the enrollment (if greater that two years from previous sponsorship) and activation process again.

LincPass Maintenance

Certificate Renewal and Reissuance
Your LincPass has certificates loaded on the chip (the part that makes the card a “smart” card), including an authentication certificate and a digital signature certificate. The certificates on your LincPass are only valid for a fixed period of time and have an expiration date, after which you will no longer be able to use them to access USDA systems, digitally sign documents, or receive encrypted email. Please note that the certificates on your LincPass may have an expiration date that is earlier than the date printed on you’re the face of your card. You’ll receive an email from the HSPD-12 USAccess system of the need to update your LincPass certificates. The email will provide instructions on how to renew certificates.

You may be asked to update your LincPass certificates because:
• They are about to expire.
• The Digital Certificate needs to be added.
• The information in the certificates needs to be corrected (i.e. Work Email Address)

LincPass Renewal
Your LincPass will expire 5 years after the issue date (the expiration month and year are shown on the face of your card). Two months prior to your Card Expiration Date, please contact your sponsor and request that a Card Renewal action be triggered in the system on your behalf. Once triggered, you will be notified via email from the HSPD-12 USAccess system and the email will give you instructions your next steps. You’ll keep your old LincPass until your new one arrives and is activated, then turn in your old card to your designated HSPD-12 Security Officer for disposal.

Re-enrollment is not required during the 5 year renewal, but is required for the 10-year renewal.

What to do after you update your LincPass certificates or receive a new LincPass
After you renew your certificates or replace your LincPass, please see ‘Clearing Your Cache’ for instructions on updating your computer to use your new certificates.

ActivIdentity Client Card Reader Software
The ActivIdentity Client card management software enables your operating system to pass your card’s certificates through the network.

Access the user console by double-clicking the icon in the Windows system tray, or from the Windows Start menu, choose Programs | ActivIdentity | ActivClient | User Console.

From the console, you can see information about your card, the certificates on your card, change your PIN (as described earlier), and run the Troubleshooting Wizard, or the Diagnostics Tool.

When you double-click the My Certificates icon, you can see your card has four certificates: PIV Authentication Key (for accessing the network), Digital Signature Key (future use, for digitally signing emails and files), Key Management Key (future use, for encryption), and Card Authentication Key (for allowing the system to access the card).

NOTE: Your PIV Authentication Key stores the UPN associated with your card. Double-click the certificate’s icon, then go to the Advanced tab. Toward the bottom of the list, click on the “Subject Alternative Name” item. The window below displays a “Principal Name=” followed by your UPN, e.g., 12001234567890@FEDIDCARD.GOV

Where to Go for Help
Follow your agency’s instructions and policies for getting help on issues related to daily use of your LincPass. This is usually your agency’s IT Help Desk.

You may also contact the HSPD-12 Help Desk at 1-833-682-4675 or

For general USDA Two-Factor Authentication information, visit

Two-Factor Authentication References & Resources
Download these PDF documents for reference or to print your own Two-Factor Authentication flyers: USDA will be expanding LincPass card use for these services:
** These links are internal USDA links and can only be accessed from USDA networks.
  • Digitally sign documents and emails -- please click here updated!
  • Enterprise VPN for remote access -- please click here updated!
  • eAuth LincPass login is now fully functional for employees and contractors. For a list of FAQ's regarding your LincPass and eAuth, please visit us here.
Site Updated: 10/26/2020     
HSPD-12 Home | | Policies and Links
FOIA | Accessibility Statement | Privacy Policy | Non-Discrimination Statement | Information Quality | FirstGov | White House