Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata

Multi Factor Authentication Procedure

I. Update and/or Verify Account Notification Information

Users need to ensure that their "Account Notification Information" is up-to-date before OTP tokens can be generated. Account Notification Information is the contact information provided by employees to the Lab that consists of a non-LBL email address and a mobile phone number. Berkeley Lab utilizes this information to contact employees regarding important account notifications and Lab alerts.

    1. Open a browser to
    2. Select the link, "I would like to change my notification information"
    3. Enter your Berkeley Lab Identity credentials if you aren't already logged in
    4. Confirm that the button for "Only update my notification information" is selected and updated your non-LBL email address and mobile phone number. At this time you may also opt-in to Berkeley Lab emergency alerts by checking the box.
    5. Click the "Save" button

II. Set up MFA Tokens

Software Token Via Google Authenticator

Install Google Authenticator on a mobile device such as an iPhone, iPad, Android, Chromebook. See Install Google Authenticator on Mobile Device for detailed instructions.

Please note that if you install Google Authenticator on your personal or Lab issued mobile device, Lab security policy requires that the device must be configured to use a lock screen (PIN, pattern, fingerprint, face ID, etc.).

Hardware Token Via Yubikey and/or Privileged Tokens

Berkeley Lab provides Yubikey OTP tokens for MFA for Windows, Web-based single sign-on, Lawrencium, and HRIS. 

Feitian tokens are provided for privileged server access. Very few users will need one of these.

Device Type
DescriptionSupport URL

This is a USB device that generates one-time passwords utilized in conjunction with Berkeley Lab Identity credentials to authenticate and provide access to standard Berkeley Lab resources such as email, calendar, LETS, etc.

YubiKey for Multi Factor Authentication
Feitian Epass 2003

This is a USB device that stores an encrypted certificate that is unlocked with your Privileged L4 password. Once unlocked the presence of this certificate and your official Berkeley Lab credentials for the L4 gateway server provide access to restricted management applications and serversMulti Factor Authentication for Privileged Server Access

help ticket must be submitted to request one or both of these hardware authentication devices. All users will need to provide two proofs of identity such as your Berkeley Lab badge and a California Driver's License or Passport. Once a hardware authentication device is issued a user will be required to complete the MFA for Berkeley Lab Enrollment Confirmation form.


Berkeley Lab is currently implementing voluntary MFA for web-based Single Sign On for access to resources like email, calendar, LETS, etc.. Personnel must have at least one registered token (Google Authenticator or Yubikey) before opting into MFA. Once a token has been obtained a user can Opt-In to MFA by select the checkbox "Opt-in to MFA" on

IV. Manage my Tokens

LBL MFA tokens can be managed here: You can use this site to add, delete and modify your tokens. You may want to bookmark this site in case you need to re-sync your Yubikey in the future.