Instructions on How to Install and Register a Two Factor Authentication Token

This document will guide you through the process of replacing your current physical token (key fob) with a “soft token” by downloading and registering the Symantec VIP Access application (“app”) on your mobile device (phone or tablet). VIP Access is a mobile app that allows your mobile device (phone or tablet) to generate the One‐Time Password (OTP) used to access FSA sites including Citrix. Both the physical token and soft token provide the same high level of online security.

PLEASE READ THE ENTIRE DOCUMENT BEFORE PROCEEDING

Important Notes:

  • The TFA soft token app (VIP Access) can be installed on your GFE or personally owned mobile device (phone or tablet).
  • Before proceeding, find out if your device is supported by the Symantec ID Protection software VIP Access). VIP Access is available for the ED‐issued Windows Phone and most iOS, Android, Windows, BlackBerry, and BREW‐enabled devices. Visit from your computer to confirm that your device model is listed.
  • Once you switch to a soft token, your physical token will be deactivated. You cannot use both a physical token and a soft token at the same time.
  • We recommend using Wi‐Fi if possible when downloading the VIP Access app to your phone. Carrier charges may apply for download and activation. A mobile data plan with Internet access is required. FSA is not responsible for any data charges incurred when downloading the app. Once activated, using the VIP Access app does not transfer any data to or from your mobile device.

Step 1 – Download and install the VIP Access app

  1. On your mobile device, go to
  2. If you don’t see the option to download the app, visit from your computer for additional download options.
  3. Click “Download Now”.
  4. Download and install the app on your mobile device.
  5. Open the VIP Access app.
  6. Click “Yes” or “I Agree” to accept the license agreement and activate the VIP Access app.
  7. Continue to Step 2 – Register your soft token credential.

Step 2 – Register your soft token credential for use with your ED account

Note: You must be outside the ED Network to register your soft token.

  1. Be sure you have your mobile device available before starting the registration process.
  2. Using a PC or laptop (not your mobile device) that is accessing the internet from outside the ED network, go to the login screen of the application you want to access.
  3. FSA Citrix –
  4. GoToWork –
  5. Anywhere.ED.gov –
  6. Fpass –
  7. Click “Register/Maintain Token.”
  8. Enter your User Name and Password, and click “Log On.”
  9. On the Self Service Menu, select “Replace and register new token” and click “Submit.”
  10. Select “Replaced” from the drop down menu and click “Submit.”
  11. On your mobile device, open the VIP Access app.
  12. Enter the Credential ID displayed on the screen in the Serial Number field. The Credential ID is VSMT or VSTZ followed by 8 digits, e.g., VSMT12345678 or VSTZ12345678
  1. Reenter the Credential ID in the Confirm Serial Number field and click “Submit.”
  2. Synchronize your token by entering two consecutive Security Codes: first, enter the Security Code displayed on the screen.
  3. Wait until the Security Code changes, and then enter the new Security Code displayed on the screen. Click “Submit.”
  4. When the “Success” message is displayed, your soft token is associated with your FSA ID and is ready for use. Close your browser and then open a new browser window to log in.
  5. Continue to Step 3 – Use your soft token to access ED/FSA systems
  6. Keep your physical token in case you need to switch back to a hard token.

Step 3 – Use your soft token to access ED/FSA systems from outside the ED network

  1. Using a PC or laptop (not your mobile device), go to the login screen of the application you want to access:
  2. FSA Citrix –
  3. GoToWork.ed.gov –
  4. Anywhere.ED.gov –
  5. Fpass –
  6. Enter your User Name and password.
  7. On your mobile device, open the VIP Access app.
  8. Type the Security Code displayed on the screen in the Security Code field (Note: Each security code is valid for 30 seconds. You can see the time remaining in the security code window.)
  9. Click “Log On” and your login will be completed.