Activate Multi-Factor Authentication for Your RDS Secure Website Account Now

Beginning in mid-2019, CMS' RDS Center will implement a Multi-Factor Authentication (MFA) login requirement to access the RDS Secure Website, mandated by updated Federal security policy requirements. In the near future, the RDS Secure Website will require all users to enter a time-sensitive unique token to access the RDS Secure Website, in addition to their RDS Login ID and Password. In preparation for this requirement, each RDS Secure Website account must first have MFA activated prior to this time. CMS' RDS Center will communicate the start date of the MFA login requirement once it is available.

Multi-Factor Authentication (MFA), also known as two-step or two-factor authentication, is a security enhancement that allows you to provide two pieces of evidence, or "factors", to confirm your identity when logging in to your RDS Secure Website account. These credentials fall into two categories: something you know (i.e., your Login ID and Password) and something you have (i.e., your personal device). MFA helps protect you, your organization, and your retirees by adding an additional layer of security to your account, making it harder for someone else to log in as if they were you.

CMS' RDS Center has implemented Google Authenticator as the independent token generation software for the RDS Secure Website. Google Authenticator is a free application that is available for download to an iOS or Android device.

When MFA is adopted later this year, CMS' RDS Center will also be implementing a one-time access token that can be sent to you via email or text (SMS) message in the event that your RDS MFA device is lost, damaged, or not working, and you are unable to reset your MFA configuration and need immediate access to the RDS Secure Website. Consequently, you will be prompted to provide a text-enabled device number to CMS' RDS Center during the MFA Activation process. Providing a text-enabled device number is optional. However, if you do not register a text-enabled device with your RDS user account, a one-time token cannot be provided to you via text (SMS) message.

Note: CMS' RDS Center will provide Plan Sponsors additional information, including the start date, prior to implementing the MFA login requirement in the RDS Secure Website. The one-time token feature is visible within the Secure Website but is inactive until MFA is required to log in.

In preparation for this new security initiative, the RDS Program Website and RDS Secure Website have been modified to allow all registered users to activate MFA for their user accounts now, before it will be required to log into the site later this year.


  • MFA may only be activated on one device at a time per user account.
  • You must have completed Registration and have received the user account confirmation email before activating MFA.
  • Activation only needs to be completed once for each new Secure Website account, unless you are setting up a new device or you need to reset your current MFA configuration.
  • Once MFA is activated for your account, it may be modified if needed. Refer to MFA Reset Instructions for guidance.
  • Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information. Do not share the QR code, Secret Key, Google Authenticator token, one-time token or any other account information with anyone. Activate your MFA configuration with your own personal device, not the device of another person.

Please review the additional important information, including step-by-step instructions, in the new RDS User Guide section Multi-Factor Authentication.

Watch a short step-by-step video on how to activate your Multi-Factor Authentication.

If you need more information, please contact CMS' RDS Center.