Multi-Factor Authentication (MFA)


How do I start using multi-factor authentication?
Frequently Asked Questions

By December 4, 2017, all UMD faculty members (including GAs) and campus leaders (including deans, directors, department heads, and above) must use multi-factor authentication to log into all university resources that use the Central Authentication System (CAS). You can opt in at any time, but on December 4, it will become required, and you will not be able to log in until you have enabled MFA.

What is multi-factor authentication? Multi-factor authentication requires the use of two of the three authentication factor categories: something you know, something you have, and something you are. This adds a layer of security because hackers will need more than just a password to use your accounts. In order to log in, you will need:

  1. Your Directory ID and password
  2. Either a mobile device, a hardware token, or a one-time use code


How do I start using multi-factor authentication?

1. Enroll a device and a backup device/print one time use codes:

2. Enable multi-factor authentication for all CAS logins

This video shows the setup process for a mobile device:

Frequently Asked Questions

Who does this multi-factor authentication requirement apply to?

All faculty members (including GAs) and campus leaders (including deans, directors, department heads, and above) when logging into systems that use the university’s Central Authentication Service (CAS).

When will I be required to use multi-factor authentication to log into CAS?

December 4, 2017. However, you may enroll at any time before then.

What major systems will I need to use multi-factor authentication to access?

  • G Suite for Education (Gmail, Drive, etc.)
  • ELMS
  • UMEG
  • Testudo
  • Any other system that uses CAS (Central Authentication Service)

Will this affect timesheets or ARES?

Not at this time.

How does the multi-factor authentication process work?

UMD is using Duo as our multi-factor authentication solution. It is incorporated into CAS, and you will be able to use it to log in using mobile devices, hardware tokens, or one-time use codes. Get more information about how Duo works.

Can I add multiple devices or methods?

Yes. After self-enrollment, you will be able to manage your devices and methods using the device management console. To use the device management console, visit You will need to sign in with your Directory ID and password. Once logged in, click Manage Devices at the bottom of the page. For further information on how to manage your devices, visit Duo's website at

How often will I need to use multi-factor authentication with CAS?

By default, every time you log into CAS. We strongly recommend you select the “Remember me for 24 hours” option in the Duo login. Doing so will require that you only need to authenticate with Duo once every 24 hours on each device or Web browser you use to log into CAS. Get instructions.

Are there any tips for streamlining the multi-factor authentication process?

We highly recommend that you enable “Auto Push,” a feature that will automatically send a login verification to your mobile device after you enter your correct Directory ID and password in CAS. See our guide to enabling Auto Push.

What devices are supported?

The following devices should be supported: iPhone, iPad, Android phones and tablets, Windows phones and tablets, cellphones, and hardware tokens. To learn more about specific device support, visit

What if I get a new device?

If you get a new device, you can add it to your list of devices using the device management console. You can do this while you still have your old device. If you no longer have your old device, you will need to remove it or have it removed by an administrator. Contact the IT Service Desk at 301.405.1500 for assistance.

What if I lose my device?

If you lose your device or it is stolen and you have two or more devices enrolled, you can use the device management console to remove the one that is lost. If you only have one device enrolled, you will need to contact the IT Service Desk at 301.405.1500 to have the device removed by an administrator. You will need to undergo additional ID proofing steps to re-enroll.

What if I have trouble authenticating?

Try using a different authentication method -- learn about the options at Multi-Factor Authentication Login Methods. If you still cannot log in, contact the IT Service Desk at 301.405.1500.

I am a graduate assistant. Does this affect me?

Yes. Graduate Assistants are classified as faculty, because they could potentially have access to grades.

Do I have an option for multi-factor authentication if I don’t want to enroll a mobile device?

We strongly recommend using the Duo mobile app on a mobile device for the best experience (the Push feature in the app makes logins a snap!). However, you also have the option to acquire a hardware token that you will need to keep with you. It will generate a single-use six-digit code every time you need to authenticate. Tokens are $20, and they can be purchased at Terrapin Tech (1221 McKeldin). Speak with your department’s business manager about whether your department will fund this purchase for you.

If you do not wish to use a mobile device or purchase a hardware token, you can generate one-time use codes to use multi-factor authentication.

To enroll using one-time use codes, please go to Terrapin Tech in person. A technician will assist you with enrollment and permissions to print one-time use codes (they will print the first 10 for you).

Please remember to generate a new list of one-time use codes before you use your last code. If you run out of codes, you will not be able to log into systems utilizing CAS until you contact the Service Desk to verify your identity. See these instructions to print more one-time use codes.

Please protect your codes like you would secure any other important personal information -- keep them in your wallet or in a safe and secure place.

What do I do if I forget my mobile device?

We recommend you install the Duo app on a second device such as a tablet and enroll that device in Duo as well, or you can print a list of 10 one-time use codes, which are valid for 180 days. Please keep those codes in a safe location that only you have access to such as your wallet (but never with your password!). Get more information on how to generate one-time use codes.

What if my mobile device can't get a network connection, such as if I'm in a dead zone on campus or traveling internationally?

If your device is not able to connect to the internet, you can still use the Duo Mobile app for MFA. In this case, you will need to enter a six-digit passcode instead of using a "Push." Get more details.

Is Duo accessible when using screen readers and other assistive technologies?

Yes, more information about Duo's accessibility options are at