By December 4, 2017, all UMD faculty members (including GAs) and campus leaders (including deans, directors, department heads, and above) must use multi-factor authentication to log into all university resources that use the Central Authentication System (CAS). You can opt in at any time, but on December 4, it will become required, and you will not be able to log in until you have enabled MFA.

What is multi-factor authentication? Multi-factor authentication requires the use of two of the three authentication factor categories: something you know, something you have, and something you are. This adds a layer of security because hackers will need more than just a password to use your accounts. In order to log in, you will need:

  1. Your Directory ID and password
  2. Either a mobile device, a hardware token, a phone that can receive voice calls, or a one-time use code

Here's how to enroll in multi-factor authentication:

1. Enroll a device and a backup device/print one time use codes:

2. Enable multi-factor authentication for all CAS logins

This video shows the setup process for a mobile device:


Future MFA Requirements

Planning is in progress for requiring MFA for other UMD groups.

Tentative dates:

  • Emeritus Faculty: February 5, 2018
  • All Staff: March 5, 2018
  • Students: TBD

Frequently Asked Questions

Expand All

All faculty members (including GAs) and campus leaders (including deans, directors, department heads, and above) when logging into systems that use the university’s Central Authentication Service (CAS).
December 4, 2017. However, you may enroll at any time before then.
  • G Suite for Education (Gmail, Drive, etc.)
  • ELMS
  • UMEG
  • Testudo
  • Any other system that uses CAS (Central Authentication Service)
UMD is using Duo as our multi-factor authentication solution. It is incorporated into CAS, and you will be able to use it to log in using mobile devices, hardware tokens, or one-time use codes. Get more information about how Duo works.
Yes. After self-enrollment, you will be able to manage your devices and methods using the device management console. To use the device management console, visit You will need to sign in with your Directory ID and password. Once logged in, click Manage Devices at the bottom of the page. For further information on how to manage your devices, visit Duo's website at
By default, every time you log into CAS. We strongly recommend you select the “Remember me for 24 hours” option in the Duo login. Doing so will require that you only need to authenticate with Duo once every 24 hours on each device or Web browser you use to log into CAS. Get instructions.
We highly recommend that you enable “Auto Push,” a feature that will automatically send a login verification to your mobile device after you enter your correct Directory ID and password in CAS. See our guide to enabling Auto Push.
The following devices should be supported: iPhone, iPad, Android phones and tablets, Windows phones and tablets, cellphones, and hardware tokens. To learn more about specific device support, visit
If you get a new device, you can add it to your list of devices using the device management console. You can do this while you still have your old device. If you no longer have your old device, you will need to remove it or have it removed by an administrator. Contact the IT Service Desk at 301.405.1500 for assistance.
If you lose your device or it is stolen and you have two or more devices enrolled, you can use the device management console to remove the one that is lost. If you only have one device enrolled, you will need to contact the IT Service Desk at 301.405.1500 to have the device removed by an administrator. You will need to undergo additional ID proofing steps to re-enroll.
Try using a different authentication method -- learn about the options at Multi-Factor Authentication Login Methods. If you still cannot log in, contact the IT Service Desk at 301.405.1500.
Yes. Graduate Assistants are classified as faculty, because they could potentially have access to grades.
We strongly recommend using the Duo mobile app on a mobile device for the best experience (the Push feature in the app makes logins a snap!). However, you also have the following options:
  • Enroll a phone that can receive voice calls and use Duo's callback feature.
  • Acquire a hardware token that you will need to keep with you. It will generate a single-use six-digit code every time you need to authenticate. Tokens are $20, and they can be purchased at Terrapin Tech (1221 McKeldin). Speak with your department’s business manager about whether your department will fund this purchase for you.
  • Generate one-time use codes.

To enroll using one-time use codes, please go to Terrapin Tech in person. A technician will assist you with enrollment and permissions to print one-time use codes (they will print the first 10 for you). Please remember to generate a new list of one-time use codes before you use your last code. If you run out of codes, you will not be able to log into systems utilizing CAS until you contact the Service Desk to verify your identity. See these instructions to print more one-time use codes. Please protect your codes like you would secure any other important personal information -- keep them in your wallet or in a safe and secure place.

We recommend you install the Duo app on a second device such as a tablet and enroll that device in Duo as well, or you can print a list of 10 one-time use codes, which are valid for 180 days. Please keep those codes in a safe location that only you have access to such as your wallet (but never with your password!). Get more information on how to generate one-time use codes.
If your device is not able to connect to the internet, you can still use the Duo Mobile app for MFA. In this case, you will need to enter a six-digit passcode instead of using a "Push." Get more details.