SAMS

Quick Reference Guide - What is One-Time-Password (OTP) and how

to use it

The ‘AMS One-Time-Password’ feature can only be used by employees and contractors of the U.S.
Department of Health and Human Services (HHS) or one of its offices or agencies (example CDC, NIH, OIG etc.)
who have a valid and active HHS AMS account. AMS cannot be used by external partners (non-government
users) to access CDC protected applications.

This guide has been designed to provide HHS users accessing SAMS with a high level overview of
1.0 the ‘AMS One-Time-Password’, also called OTP, feature.

This Guide Covered:

 1.0 – OTP overview FAQs
 2.0 – OTP setup
 3.0 – OTP login process for access to SAMS protected applications
 4.0 – SAMS setup authentication

Please note: This document was designed as a quick reference guide to help users login to AMS
and access a SAMS protected CDC application. For more detailed information about AMS please
visit https://ams.hhs.gov/amsApp/help/AMSHelp.html. For additional information about SAMS
please visit https://sams.cdc.gov and login to access the ‘Links’ section on the SAMS Partner
Portal.

1. One-Time-Password (OTP) Overview/Introduction

What is OTP?
The HHS Access Management System (AMS) supports a service called OTP that HHS users
accessing applications protected by SAMS can use. OTP is basically a single use, randomly
generated password valid for one login session on a computer. For a user attempting to
authenticate, this temporary password is delivered by text message to a mobile phone previously
registered within the AMS system. After receiving the unique password via text the user enters
this information into the AMS system in order to authenticate.

What are the benefit of using OTP?

 OTP streamlines the user authentication process for people accessing SAMS protected
applications on mobile phones and tablets. On a mobile phone the ability to use an HSPD-
 12 PIV card for authentication is not possible however using OTP a user can still
authenticate and access approved applications.
 OTP can be used in situation where a PIV card reader is not available or cannot be
conveniently used.
 OTP can be used in situation where a user does not have their HSPD-12 PIV card available
but still requires access to a SAMS protected application.

What are the requirements necessary to use OTP for access to a SAMS protected application?
 HHS staff must have an active HHS AMS account, been issued an HSPD-12 PIV card that
has been inducted into the HHS AMS system, and know their PIV card PIN.
 OTP requires users register their mobile phone number in the AMS system before the
service can be used.
 The OTP service is not available across all mobile providers. As such an appropriate
provider must be selected, the user’s mobile phone must be capable of receiving texts,
and fees associated with the receipt of text messages may apply.

Please note: The requirements outlined above are explained in greater detail later in this
document.

2.0 OTP Setup (phone registration)

Good To Know…
To use the OTP feature in AMS it must first be setup. We recommend that all HHS staff using
SAMS setup their OTP account as soon as its convenient. This setup can happen before you are
invited to SAMS assuming you are already an active AMS user. This will ensure, even if you
don’t immediately need to use the OTP feature, its setup whenever you do.

1. Log into AMS at https://ams.hhs.gov using your HSPD-12 PIV card (typically thought of as your
badge) by clicking on the “Login” button in the left panel under “HSPD-12 Access Cards.”
Please note: Despite two additional login options being available DO NOT use them as you must
authenticate using your PIV card to setup OTP.

2. On your AMS homepage, select the “My AMS Profile” tab. In the secondary menu that
appears the “View My Profile” tab will be selected by default. If you have already registered a
mobile device it will be displayed here as your ‘Mobile Number’. If this field is blank complete
the OTP setup.

3. To begin the Mobile device registration, click on the ‘Mobile Registration’ sub-tab
4. Select your ‘Mobile Carrier” by selecting the appropriate carrier from the drop-down list and
enter your phone number following the format specified to the right of the field.

5. Click “Register”. The AMS system will generate a one-time-password that will be sent to your
mobile device via text message. You should receive the text message just seconds after
clicking the ‘Register’ button.
 6. Enter the OTP you received via text message into the text field and click the “Submit” button.

7. If correctly entered, you will receive a registration confirmation window. To complete the
registration process, click “Continue” on the confirmation screen pop-up notice. This will
return you to the AMS homepage.

You can now use OTP to access SAMS protected CDC applications using the AMS OTP option
to authenticate.

3.0 Accessing a SAMS protected application using OTP

Good To Know…
Electronic Authentication, or e-Auth, refers to the process of establishing a confidence in a
electronic user’s identity. As the e-Auth level assigned to an application increases, for example
between e-Auth Level 1 and 2, the need to trust the user who is accessing the application also
increases. This is important because it dictates the credentials that a user must use to login and
gain access.
As a general rule you can always use a higher credential to access a lower e-Auth rated
application. The opposite is not true.

Using your AMS credentials along with the AMS OTP option will allow HHS staff to access e-
Auth level three AMS protected applications. This can be particulary helpful in situations where
access is needed but the HHS PIV card cannot be used – mobile login, while on personally
owned equipment (POE) etc.
1. Visit SAMS at https://sams.cdc.gov or go directly to your application using the published
application specific URL. Depending on the method you will see two different login pages.

If you visit https://sams.cdc.gov you will see the main SAMS login page:

If you visit your e-Auth Level three application URL directly you will see the SAMS Level
3 login page:
2. As an employee of HHS or one of its agencies (for example the CDC) select the HHS staff
option to login using AMS One Time Password (OTP). Depending on your access method
you will see the following:

Screen 1 (select PIV login on AMS screen for authentication)

Or Screen 2 (this will be presented on the SAMS level 3 login page)

3. Following the selection of the OPT login option on the SAMS homepage you will be
presented with the standard AMS login screen. Three options will be presented including
the ability to use your HHS PIV card for access. In order to use OTP do not login to AMS
using your PIV card. Instead you must login using either your AMS credentials (if
configured) or your AMS credentials. You may need to setup your AMS Credentials if not
already configured using the ‘First-time AMS User’ link.

4. Following your authentication using the username/password option associated with your
“Network Credentials” or “AMS Credentials” an OTP password will be automatically
delivered to your AMS registered cell phone via text message.
 5. Enter the OTP you received via text message into the text field and click the “Submit”
button.

6. If correctly entered you will be passed to your SAMS protected application or taken to the
SAMS Partner Protal. Where you will go depends on the URL you origionally attempted to
access

Good To Know…
If you have problems authenticating to AMS or have AMS specific questions you will need to
escalate to AMS for support. Click the ‘Need Help?’ option on the AMS homepage. The SAMS
team and SAMS Helpdesk are unable to assist with AMS specific login issues.

4.0 Using the AMS Login for SAMS step-up authentication

At times, HHS staff who have already authenticated to SAMS, may be required to ‘step up’ and re-
authenticate for access to applications or roles that hold a higher e-Auth level rating.
For example, if a user initially authenticated against AMS to access a SAMS e-Auth level 2 rated
application but later required access to an e-Auth level 3 rated application during the same visit.
In this situation SAMS would force the user to re-authenticate using AMS before being allowed
access to the e-Auth level 3 resource.
The SAMS step-up page is shown below. This page still leverages AMS for authentication using
either the PIV or OTP options.
 Good To Know…
On the SAMS Partner Portal application links that require e-Auth level 3 credentials are
highlighted with an astrick (*) as seen in the screenshot below. Depending on how the user
logged in this might force step-up authentication when the link is selected.

For more information or assistance, please contact the SAMS Help Desk between the hours of 8:00 AM and
6:00 PM EST Monday through Friday (excluding U.S. Federal holidays) at the following:
Toll Free: 1-877-681-2901
Email: [email protected]