Most Research Computing services, such as the FASRC high performance computing cluster or VPN, are protected by two-factor authentication — access requires providing a normal password and a time-dependent “verification code.” We use a package, built on open standards, that we call OpenAuth to provide the two-factor authentication. This replaces the system we formerly used, RSA SecurID.

NOTE: If you are taking a class where you have been given a generic account and token, please see the Manual OpenAuth page.


Please visit the following link, using your RC account username and password, to setup your account to work with OpenAuth:

Note: Clicking this link will cause an email to be sent to you. That email will contain a link to the OpenAuth install page with instructions, download links and your personalized token. The download link is valid for 24 hours.

  • This site will prompt you for your Harvard FAS Research Computing username and password. If you don’t yet have an account, you can request one here.
  • Since the site uses email verification to authenticate you, you must also have a valid email address on record with us.
  • All OpenAuth tokens are software-based, and you will choose whether to use a smart phone (the page will display a QR code for use in Google Authenticator [Android or iOS] or to allow display of the code in Duo Mobile [in addition to your Harvard Key code – these are two separate tokens]) or the java desktop app to generate your verification codes. (a Java runtime is required for the desktop app to function – Java install help page).

Once you complete the quick steps in the above site, you’ll be all set to use OpenAuth. You may also revisit that site in order to setup your token on an additional device (you’ll still be able to use your original device, too).

Having Trouble after setting up your token?

Please keep in mind the revoke link if you ever lose the device with your token or otherwise insecurely handle your token and need to start over with a new one.
If you need to set up on a new phone or computer, just re-do the steps above. You only need to revoke a token if your device is lost or stolen or you token stops working.
For additional OpenAuth troubleshooting, including time synchronization, please see here.

Was this article helpful?
5 out of 5 stars
5 Stars 100%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Need help?
© The President and Fellows of Harvard College
Except where otherwise noted, this content is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license.