Skip to main content

Multi-Factor Authentication (MFA)

Multi factor authentication guide.

MFA En Español

All UMD and University System of Maryland community members must use multi-factor authentication to log into all university resources that use CAS. Some major systems that use CAS are ELMS-Canvas, Payroll and Human Resources (PHR), Testudo, Terrapin Express, Box, and library services.

What is multi-factor authentication? Multi-factor authentication requires the use of two of the three authentication factor categories: something you know, something you have, and something you are. This adds a layer of security because hackers will need more than just a password to use your accounts. In order to log in, you will need:

  1. Your Directory ID and password
  2. Either a mobile device, a hardware token, a phone that can receive voice calls, or a one-time use code (this video playlist shows all of the methods in action)

Here's how to enroll in multi-factor authentication:

Step 1. Enroll a device and a backup device/print one time use codes:

Step 2. Enable multi-factor authentication for all CAS logins.


Multi-Factor Authentication set up process
Why we need Multi-Factor Authentication

Frequently Asked Questions (FAQs)

Yes, you are welcome to visit Terrapin Tech in 1221 McKeldin Library Monday through Friday between 8:30 a.m. and 4:30 p.m. for hands-on support or to contact the IT Service Desk at 301.405.1500 or for assistance.

All affiliates when logging into systems that use the university’s Central Authentication Service (CAS).

July 31, 2019 for affiliates. However, you may enroll at any time before then.

  • ELMS
  • Testudo
  • Terrapin Express
  • Payroll and Human Resources (PHR)
  • Box
  • MyDRL
  • MyUHC
  • Library services
  • Any other system that uses CAS (Central Authentication Service)

UMD is using Duo as our multi-factor authentication solution. It is incorporated into CAS, and you will be able to use it to log in using mobile devices, hardware tokens, or one-time use codes. Get more information about how Duo works.

Yes. After self-enrollment, you will be able to manage your devices and methods using the device management console. To use the device management console, visit You will need to sign in with your Directory ID and password. Once logged in, click Manage Devices at the bottom of the page. For further information on how to manage your devices, visit Duo's website at

By default, every time you log into CAS. We strongly recommend you select the “Remember me for 24 hours” option in the Duo login. Doing so will require that you only need to authenticate with Duo once every 24 hours on each device or Web browser you use to log into CAS. 

We highly recommend that you enable “Auto Push,” a feature that will automatically send a login verification to your mobile device after you enter your correct Directory ID and password in CAS.

The following devices should be supported: iPhone, iPad, Android phones and tablets, Windows phones and tablets, cellphones, and hardware tokens. To learn more about specific device support, visit

If you get a new device, you can add it to your list of devices using the device management console. You can do this while you still have your old device. If you no longer have your old device, you will need to remove it or have it removed by an administrator. Contact the IT Service Desk at 301.405.1500 for assistance.

If you lose your device or it is stolen and you have two or more devices enrolled, you can use the device management console to remove the one that is lost. If you only have one device enrolled, you will need to contact the IT Service Desk at 301.405.1500 to have the device removed by an administrator. You will need to undergo additional ID proofing steps to re-enroll.

Try using a different authentication method -- learn about the options at Multi-Factor Authentication Login Methods. If you still cannot log in, contact the IT Service Desk at 301.405.1500.

We strongly recommend using the Duo mobile app on a mobile device for the best experience (the Push feature in the app makes logins a snap!). However, you also have the following options:

  • Enroll a phone that can receive voice calls and use Duo's callback feature.
  • Acquire a hardware token that you will need to keep with you. It will generate a single-use six-digit code every time you need to authenticate. Tokens are $20, and they can be purchased at Terrapin Tech (1221 McKeldin).
  • Generate one-time use codes.

To enroll using one-time use codes, please go to Terrapin Tech in person. A technician will assist you with enrollment and permissions to print one-time use codes (they will print the first 10 for you). Please remember to generate a new list of one-time use codes before you use your last code. If you run out of codes, you will not be able to log into systems utilizing CAS until you contact the Service Desk to verify your identity. See these instructions to print more one-time use codes. Please protect your codes like you would secure any other important personal information -- keep them in your wallet or in a safe and secure place.

We recommend you install the Duo app on a second device such as a tablet and enroll that device in Duo as well, or you can print a list of 10 one-time use codes, which are valid for 180 days. Please keep those codes in a safe location that only you have access to such as your wallet (but never with your password!). Get more information on how to generate one-time use codes.

If your device is not able to connect to the internet, you can still use the Duo Mobile app for MFA. In this case, you will need to enter a six-digit passcode instead of using a "Push." Get more details.

Yes, more information about Duo's accessibility options are at

Back to Top