Authentication can be based on what you know, such as a password
or a PIN, what you have, such as a LincPass, or what you are,
such as biometric data (like a fingerprint). “Two-factor authentication” means using
two of these authentication methods (LincPass + PIN) to increase
the assurance that you are authorized to access USDA systems. Due to the inherent security
risks in mobile computers, USDA is making implementation of two-factor authentication for laptops
Your LincPass is your new USDA personal identity verification card. This page explains how to use your card and PIN to access and
protect USDA network and computer resources.
TERMS & DEFINITIONS
As part of ensuring national security,
Homeland Security Presidential Directive 12 (HSPD-12) mandates that Federal agencies screen their employees and contractors and issue
credentials —“smartcards”— that meet National Institute of Standards and Technology (NIST) guidelines by October 2008. In USDA, the
smartcard is called a LincPass. NIST’s term is “personal identity verification” or PIV card.
: Personal Identification Number, 6 to 8 digits, which you choose and enter when you first activate your LincPass. Your PIN
allows you to access and use your card; your card allows you access to the network. (Any temporary PINs that come to you via email must
be changed when the LincPass is first issued.)
: A device built in, added, or connected (e.g., via USB port) to your computer that reads smartcards.
Card reader software
: The client application installed on your local computer that integrates the card with your agency’s network.
HSPD-12 enabled account
: A user account on an agency network that is integrated with HSPD-12 and enterprise services. Your agency
will notify you when network accounts have been enabled for LincPass use.
ame. Used by agency networks as the user ID for HSPD-12 enabled accounts.
: Authentication can be based on what you know, what you have, or who you are in the agency. “Two-factor
authentication” means using two of these authentication methods (LincPass + PIN) to increase the assurance that you are authorized to
access USDA systems.
LincPass enrollment station
: A fixed enrollment station
is a permanent location with a GSA-provided computer, equipment, and
operator who handles enrollment and activation of USDA LincPass cards (also handles PIN resets). Mobile enrollment stations
temporarily assigned to a series of locations for the purpose of enrolling staff, but cannot handle PIN resets.
HSPD-12 Security Officer
: The person designated by your agency with responsibility for responding to LincPass security-related
events, such as lost or stolen cards, card suspension & activation, etc.
: The user ID and password you use to access your agency’s domain without a LincPass.
: Encrypted sets of electronic credentials loaded on your LincPass.
This page includes:
• What You’ll Need to Start
• Everyday Use
• Caring For Your LincPass
• LincPass Issues
• LincPass Maintenance
• ActivIdentity Client Card Reader Software
• Where to Go for Help
• LincPass (USDA’s smartcard)
• Card reader and drivers installed on your computer
• Card reader software installed on your computer
• HSPD-12 enabled account on your agency’s network
1. Start your computer.
2. When the Windows login message box appears,
insert your card in your computer’s card reader.
3. Click OK at the “government system” warning. In the login dialog box, enter your 6- to 8-digit PIN.
After you log in, an ActivClient icon in the Windows system tray (lower right) will tell you whether or not the card is being read.
Card In: Card Out:
By default, removing the LincPass from the reader will automatically lock the workstation. However, your agency’s network policies
dictate the process for locking and unlocking your computer. Your agency will provide you with more detailed information. Don’t forget
to take your card with you when you leave your workstation.
From the Windows Start menu, click “Shut Down” (or “Log Off [username]”), then follow the standard procedure for Windows.
TIP: Don’t remove the LincPass while shutting down the computer because the automatic “lock workstation” or “log off user” feature
will override the shutdown procedure. Wait until the computer sequence is finished before removing your card.
Your LincPass is intended to last 5 years and is an expensive and time-consuming process to replace if lost or damaged. You should
guard your card the way you do your driver’s license or house key. Protect it from excessive heat or cold, scratches, bending, and
magnets. Also, some types of plastic badge holders will degrade the ink on the face of the card, so only use approved badge holders or
those provided by your agency.
If you notice your card reader is damaging your card, get your card reader replaced — it’s much less
expensive than the card. A LincPass is considered government property and must be shown to security personnel upon request and surrendered upon employee or contractor termination.
NOTE: Get in the habit now of taking your LincPass with you whenever you leave your desk, since your LincPass may soon be your
official ID for building or office access. Until your location’s access control is integrated with HSPD-12, you may need to carry
both your LincPass and your building access card.
If you don’t have your LincPass (but it’s not lost or out of your control), during the transition period, you can log into your
network using your network credentials until you have your LincPass again. Remember to follow the procedures described above in the
LincPass vs. Network Credentials section. Once the LincPass is required and you forget to bring it, follow your agency’s policy on
gaining temporary access.
If you make 6 unsuccessful attempts in a row to type your PIN, it is automatically locked and will need to be reset. If you forget
your PIN, you must first lock it by making 6 unsuccessful attempts. To get your PIN unlocked, take your LincPass to the nearest
activation station and ask to have your PIN unlocked. Depending on the location, you may need to make an appointment first. The
activator will ask you to verify your fingerprint (to ensure the card belongs to you), and to enter a new PIN.
If you currently do not know your PIN and want to reset it, please book an appointment at the nearest Fixed Center or Light Station
and perform a PIN reset at the station.
If currently know your PIN and would like to change it, use the ActivIdentity ActivClient. You can access the PIN Change Tool from
the Start > Programs > ActivIdentity > ActivClient| menu, or from the ActivClient user console, which is available from the same menu
or by double-clicking on the ActivClient icon in your system tray.
Report your lost/stolen LincPass to your designated HSPD-12 Security Officer,
who will suspend or revoke your card depending on the
circumstance. If you find your card within 1-10 days, take it to your designated Security Officer to reactivate it. After that time, if
you don't find it, the Security Officer will revoke the card and you will have to re-enroll for a new LincPass. Use your network
credentials in the interim until your new card arrives and is activated. If your building’s physical access control system uses a
LincPass for access, you may also need to request a temporary or visitor’s card to get into your work location.
If you find someone else’s LincPass, give it to your HSPD-12 Security Officer, who will either get it to the right person or send
it to the “Return to” address on the back of the card.
If information about you that appears on the face of your LincPass changes, (e.g., you change your name), first notify your sponsor,
who will request a new card, then give your current (now revoked) card to your Security Officer for proper disposal. You will have to
go through the enrollment process again. Use your network credentials in the interim until your new LincPass arrives and is activated.
If your building’s physical access control system uses a LincPass for access, you may also need to request a temporary or visitor’s card
to get into your work location.
If your LincPass is damaged (e.g., melted, bent, etc.), give it to your HSPD-12 Security Officer, who will revoke the card and ask
your sponsor to mark in the HSPD-12 system that you need a new card. Your card will have to be reprinted, meaning you will have to use
your network credentials in the interim until your new card arrives and is activated. If your building’s physical access control
system uses a LincPass for access, you may also need to request a temporary or visitor’s card to get into your work location.
If your employment status changes from active to suspended, the HSPD-12 system will receive the status change and automatically
suspend your LincPass.
When an applicant’s employment status in the HR system changes from “suspend” to “terminate,” the HSPD-12 system automatically
revokes the LincPass. Give the LincPass to the designated HSPD-12 Security Officer for proper disposal.
If a former employee returns to employment status in the HR system (terminate to active), the newly activated employee will need
to be sponsored for a new LincPass and go through the enrollment (if greater that two years from previous sponsorship) and activation
Your LincPass has certificates loaded on the chip (the part that makes the card a “smart” card), including an authentication
certificate and a digital signature certificate. The certificates on your LincPass are only valid for a fixed period of time and have
an expiration date, after which you will no longer be able to use them to access USDA systems, digitally sign documents, or receive
encrypted email. Please note that the certificates on your LincPass may have an expiration date that is earlier than the date printed
on you’re the face of your card. You’ll receive an email from the HSPD-12 USAccess system of the need to update your LincPass
certificates. The email will provide instructions on how to renew certificates.
You may be asked to update your LincPass certificates because:
• They are about to expire.
• The Digital Certificate needs to be added.
• The information in the certificates needs to be corrected (i.e. Work Email Address)
Your LincPass will expire 5 years after the issue date (the expiration month and year are shown on the face of your card). Two
months prior to your Card Expiration Date, please contact your sponsor and request that a Card Renewal action be triggered in the
system on your behalf. Once triggered, you will be notified via email from the HSPD-12 USAccess system and the email will give you
instructions your next steps. You’ll keep your old LincPass until your new one arrives and is activated, then turn in your old card
to your designated HSPD-12 Security Officer for disposal.
Re-enrollment is not required during the 5 year renewal, but is required for the 10-year renewal.
After you renew your certificates or replace your LincPass, please see ‘Clearing Your Cache’ for instructions on updating your
computer to use your new certificates.
The ActivIdentity Client card management software enables your operating system to pass your card’s certificates through the network.
Access the user console by double-clicking the icon in the Windows system tray, or from the Windows Start menu, choose Programs |
ActivIdentity | ActivClient | User Console.
From the console, you can see information about your card, the certificates on your card, change your PIN (as described earlier), and
run the Troubleshooting Wizard, or the Diagnostics Tool.
When you double-click the My Certificates icon, you can see your card has four certificates: PIV Authentication Key (for accessing
the network), Digital Signature Key (future use, for digitally signing emails and files), Key Management Key (future use, for encryption),
and Card Authentication Key (for allowing the system to access the card).
NOTE: Your PIV Authentication Key stores the UPN associated with your card. Double-click the certificate’s icon, then go to the
Advanced tab. Toward the bottom of the list, click on the “Subject Alternative Name” item. The window below displays a “Principal Name=” followed by your UPN, e.g., 12001234567890@FEDIDCARD.GOV
Follow your agency’s instructions and policies for getting help on issues related to daily use of your LincPass. This is usually
your agency’s IT Help Desk.
You may also contact the HSPD-12 Help Desk at 1-833-682-4675 or USDAHSPD12HELP@dm.usda.gov.
For general USDA Two-Factor Authentication information, visit http://hspd12.usda.gov/twofactor.htm.
Download these PDF documents for reference or to print your own Two-Factor Authentication flyers:
USDA will be expanding LincPass card use for these services:
** These links are internal USDA links and can only be accessed from USDA networks.
Digitally sign documents and emails -- please click here
- Enterprise VPN for remote access -- please click here
- eAuth LincPass login is now fully functional for employees and contractors. For a list of FAQ's regarding your LincPass and eAuth, please visit us here.