Frequently Asked Questions

• What if I lose my LincPass?
• What if my LincPass is stolen?
• How is the computer logging me on when I have no network or internet connectivity?
• What if I login with my network credentials (user name and password), then insert my LincPass after I’ve logged in?
• What if I insert my LincPass and never get the PIN prompt?
• What if I receive the message “The card supplied was not recognized. Please check that the card is inserted correctly, and fits tightly.”
• What if I find someone else’s LincPass?
• What do I do if I still have my old LincPass?
• What happens if I forget my PIN?
• What if I get the message “The system could not log you on. An incorrect PIN was presented to the smart card”?
• What if I get the message “The system could not log you on. The smart card is blocked”?
• Where can I go for help?
• As an HR Representative, when I make an employment status change, how does this impact the LincPass?
• As an Adjudicator, when I make an Adjudication change, how does this impact the LincPass?
• During the transition period, if I have both network credentials and a LincPass, will the network password aging policy still be in effect? What if my network credential password expires and locks my account before I use it again?
• Are the certificates on the LincPass linked to my profile?
• We have an account on a standalone special-purpose computer (e.g., it’s attached to a special printer) that is connected to the network. Can I use my LincPass + PIN to log into this computer?
• Will I have to change my 6- to 8-digit PIN as often as I had to change my 12-character complex password?
• My LincPass was lost/stolen/damaged. Do I have to go through the whole enrollment process again?
• If I lock my workstation by removing my LincPass card from the reader, and I have applications still open or am running a process, what happens to the application or process?
• If I’m at my desk and my LincPass is in the reader, but my computer becomes locked because of inactivity, how do I get the PIN prompt to appear?
• Can I use my LincPass + PIN to log on to someone else’s computer?
• In the middle of shutting down or logging off my computer, I removed my LincPass from the reader, and it locked the workstation instead of continuing with the shut-down or log-off process. Why did it do that?
• As a system administrator, I need to log into other people’s computers as part of my job. How will I do that with the LincPass?
• I share a computer with another employee. Can I use my LincPass + PIN?
• When my network account is HSPD-12 enabled, will I get a new account on my local computer that shows the UPN instead of my name?
• During the transition period when both my LincPass + PIN and my network credentials are active, if I don’t have my LincPass, I can still access the network using my network credentials. After the transition period, and the LincPass is required, how will I access the computer if my LincPass is forgotten/lost/stolen?
• As a system administrator, I need to log into other people’s computers as part of my job. How will I do that with the LincPass?

• Immediately report the lost LincPass to your Security Officer. The Security Officer will suspend the LincPass in the USAccess System.
• During the transition period, during which time both your LincPass + PIN and your network credentials are active, you'll be able to log in with your network credentials (user name and password) if you don't have your LincPass.  After the transition period, your agency will provide instructions for what to do in this case.

• Immediately report the stolen LincPass to your Security Officer. The Security Officer will terminate the LincPass in the USAccess System.
• During the transition period, during which time both your LincPass + PING and your network credentials are active, you'll be able to log in with your network credentials (user name and password) if you don't have your LincPass.  After the transition period, your agency will provide instructions for what to do in this case.
  

• Your computer now caches your network credentials so you can log in without being connected to a USDA network or the Internet. When your account becomes HSPD-12 enabled, your computer will cache the same type of information to allow you to use your LincPass + PIN and your network credentials are active, you'll be able to log in to your computer with your network credentails (user name and password) if you don't have your LincPass.

• Nothing will happen in terms of the login. The ActivIdentity ActivClient software will show that a card has been inserted and you can access resources that require a LincPass.

• Verify that the LincPass is correctly inserted in the card reader. If the chip never makes contact, the PIN prompt will not appear.

• Verify that the LincPass is correctly inserted (right side up and facing the correct direction) in the card reader.   

7.  What if I find someone else’s LincPass?  FAQ

• Give the LincPass to your Security Officer as soon as possible.

• USDA employees can only have one active LincPass at a time. Activation of a new LincPass will automatically permanently disable your old one, so give it to your Security Officer for proper destruction.

• If you make 6 unsuccessful attempts in a row to type your PIN, it is automatically blocked and will need to be reset. If you forget your PIN, you must first block it by making 6 unsuccessful attempts (otherwise, the system doesn’t recognize that the PIN needs unblocking). To get your PIN unblocked, take your LincPass to the nearest HSPD-12 activation station and ask to have your PIN unblocked. Depending on the location, you may need to make an appointment first. The activator will ask you to verify your fingerprint (to ensure the card belongs to you), and to enter a new PIN.

• This means that you entered the wrong PIN for your LincPass. The system allows you 6 attempts at your PIN before it is blocked and you must go through the PIN unblock process.

• This means that you have locked your LincPass because of 6 wrong attempts at your PIN. You must follow the PIN unblock process.
  

• If you have further questions, please contact your Agency's Help Desk for assistance.

     Given the following definitions:

• A= Active employment, includes vacation time, short-term disability, short-term leave
• S= HR suspension or employment, long term leave, long term disability, sabbatical
• T= Resigned, retired, deceased, fired, etc.

     Active to Suspend

• a. HR updates employment status from active to suspend in HR system
• b. This systematically suspends the LincPass
• c. End user keeps possession of LincPass
• d. Impact: LincPass is suspended and user cannot use LincPass login until it is reactivated
• e. If employee does not return, see ‘Suspend to Terminate’

     Active to Terminate

• a. HR updates employment status from active to terminate in HR system
• b. This systematically terminates the LincPass
• c. Impact: LincPass is terminated and destroyed and user no longer has LincPass

     Suspend to Terminate

• a. HR updates employment status from Suspend to Terminate in HR system
• b. This systematically terminates the LincPass
• c. Impact: LincPass is terminated and destroyed and user no longer has LincPass

     Suspend to Active

• a. HR updates employment status from Suspend to Active in HR system
• b. This systematically reactivates the LincPass
• c. Impact: LincPass is re-activated and user can use LincPass.

     Terminate to Active

• a. HR updates employment status from Terminate to Active in HR system
• b. Requires new sponsorship for LincPass
• c. Impact: user gets a new LincPass

     Terminate to Suspend

• a. No user impact (no LincPass exists and no LincPass will be re-issued.)

      FBI Adjudication change – negative result

• a. Adjudicator changes result to negative
• b. Impact: LincPass will be terminated

      NACI Adjudication change – negative result

• a. Adjudicator changes result to negative
• b. Impact: LincPass will be terminated

• Your agency's network (Active Directory) will continue to enforce the 60-day password aging rule during the transition period when both network credentials and LincPass credentials are active methods for accessing your agency's network. If you don’t get warnings about changing your password and it expires before you can change it, Agency policy dictates what happens, such as the account is automatically locked. Follow the current process you use for getting your network password reset, e.g., contacting your system administrator, CS representative, or IT specialist.

• For Active Directory, the profile is linked to both your LincPass certificate and your network credentials. If the session is started with the LincPass certificate, then continued (after workstation lock) with the UPN and network password, the session is the same. If the session is started with the network credentials, then continued (after workstation lock) with the LincPass certificate, the session is different. (If you’re a system administrator, see also Question 24, I’m a system administrator and need to log into other people’s computers as part of my job. How will I do that with the LincPass?)
• For other applications or services, the answer is "it depends." If the application or service has been integrated with HSPD-12, and it knows what to do with certificates, then it will probably be tied to the application or service's profile. If the application or service hasn't been integrated with HSPD-12, it will completely ignore the certificate, and you'll log in with an ID and password or whatever other method you use now.

• Yes, as long as the computer connects to the domain that has your HSPD-12 enabled account, and the computer has a working card reader and the ActivClient software.

• Unknown at this time. The solution will require research on the technical end and security and business policy decisions to be made. Your Agency will provide you with instructions once the procedures have been implemented

• Yes, as required by HSPD-12 procedures, you’ll have to take two forms of ID and have your photo and fingerprints taken again. In the interim, you can use your network credentials to access your computer and the network.

• The lock workstation behavior is exactly the same with the LincPass + PIN as it is when using network credentials. Removing the card is the same as pressing Ctrl+Alt+Del and selecting “Lock Computer.”

• If your computer is locked and the card is still in the reader, pressing a key or moving the mouse will bring up the “workstation is locked” message on the screen. To get the PIN prompt to appear, you have to pull the card out enough for the reader to lose contact with the card’s chip, then reinsert the card again.

• Yes, if the computer has a working card reader and the ActivClient software, and you’re connecting to the same domain. It might take a little longer the first time you do this, as the operating system is creating a new profile behind the scenes.

• The ActivClient software is designed to watch for card-removal events and lock the workstation** when it happens. If the operating system is in the process of shutting down or logging off, it may not have yet shut down the ActivClient “watcher,” and it overrides the shutdown/log off process. The solution is to wait until the computer is completely off or you see the system message that the procedure is complete before removing the card.

• Using Two-Factor Authentication for system administrator accounts is still being researched. For the interim, system administrators will continue using the network accounts they use now for system administrator functions, and their LincPass for ordinary end-user operations on their own computer. Using Two-Factor Authentication in cases where you have multiple Active Directory accounts in the same domain is also still being researched. (See also Question 16, Are the certificates on the LincPass linked to my profile?)

• Yes, if the computer has a working card reader and the ActivClient software. During the transition period, you can use your LincPass + PIN or your network credentials to log on, and the other person can do the same. If you get your LincPass and an HSPD-12 enabled account before the other person, s/he can still continue to log on with network credentials until s/he gets a LincPass.

• No, the account on your local computer doesn’t change. Behind the scenes, the UPN (User Principal Name) replaces the data in the Subject Alternative Name field, but the record still also maintains the original network credential (e.g., firstname.m.lastname) information.

• Unknown at this time. The solution will require research on the technical end and security and business policy decisions to be made. Your Agency will provide you with instructions once the procedures have been implemented.

• Using Two-Factor Authentication for system administrator accounts is still being researched. For the interim, system administrators will continue using the network accounts they use now for system administrator functions, and their LincPass for ordinary end-user operations on their own computer. Using Two-Factor Authentication in cases where you have multiple Active Directory accounts in the same domain is also still being researched. (See also Question 16, Are the certificates on the LincPass linked to my profile?)