ITS Administrative Computing



System Overviews


Password Reset

Submit a service request online

MToken FAQ

What is an MToken?

An MToken is a small device that can fit on a key ring that displays a new six-digit tokencode once every minute. MTokens serve as the second factor in two-factor authentication. Two-factor authentication is comprised of something you know (your UMICH password) and something you have (your MToken).

What is a tokencode?

A tokencode is the six-digit number displayed on an MToken. It can be used only once and must be typed into the U-M Weblogin page with your uniqname and UMICH password (called Level-1 password at the U-M Health System) when logging into systems that require it. A tokencode displays for 60 seconds. You can see how much longer the tokencode will display by counting the number of bars to its left. Each bar displays for 10 seconds and then disappears.

How do I get an MToken?

If you have access to a system that requires two-factor authentication, you can obtain an MToken at an MToken Distribution Center. You need to provide your MCard to obtain your MToken.

When are the MToken Distribution Centers open?

View the MToken Help Desk and Distribution Center Web page for locations and hours of operation.

Can I borrow my coworker's MToken?

No, you cannot use anyone else's MToken. Your MToken is assigned to you and will work only with your uniqname and UMICH password (called Level-1 password at the U-M Health System).

How do I activate my new MToken?

You can activate your MToken online by following these steps.

Important: Do not initiate the activation process until you have an MToken.

When do I need to use an MToken?

An MToken must be used when logging in to a system that requires two-factor authentication. You must enter the tokencode displayed on your MToken each time you log in to any of these systems.

Faculty, lecturers, and graduate student instructors who have active appointments, as well as M-Reports users in select job families, are not required to use an MToken. They must check the I don't have an MToken checkbox each time they log in.

Exception: Faculty and instructional staff who previously received an MToken are required to enter a tokencode each time they log into any Two-Factor Authentication-enabled system. To remove the M-Token requirement for faculty in this situation, submit a request to the ITS Service Center.

All other U-M Web-based systems (for example, Student Business, Employee Self Service) currently require that you log in only with your uniqname and UMICH password. Individual units can choose to implement Two-Factor Authentication on their internal networks and systems.

When should I check the "I don't have an MToken" checkbox?

Instructional staff with access to Faculty Business in Wolverine Access must check the I don’t have an MToken checkbox each time they log in to Faculty Business. The checkbox is used only by instructional staff that are exempt from MToken restrictions when accessing two-factor-require systems.

I don’t have my MToken and I need to log in. What can I do?

If you previously set up Emergency Q&A Authentication, you will be able to acquire a Temporary Static Tokencode (TST) on the web. If you have not set up Emergency Q&A Authentication, please contact the ITS Service Center during business hours in order to obtain a TST. For instructions please see Emergency Access If You Forget Your MToken.

Exception: Temporary tokencodes cannot be used to access the MiChart Electronic Prescribing for Controlled Substances (EPCS) system used at the U-M Health System (UMHS). EPCS users can contact the Medical Center Information Technology (MCIT) Help Desk at (734) 936-8000 for assistance.

I lost my MToken. What do I do?

If you have lost your MToken, you will need to take certain steps to ensure the security of sensitive institutional data. Please see If You Lose Your MToken for more details. Your lost, broken, or expired MToken can be replaced at any MToken Distribution Center.

Can I take my MToken with me when I travel?

Yes, with very few exceptions. MTokens may not be transported or sent to embargoed nations identified by the federal government, pursuant to federal export control regulations.

  • The following nations are on the embargoed list as of December 2013:
    • Cuba, Iran, North Korea, Syria, Sudan
  • For general questions about export control regulations, see the ORSP FAQ.
  • If you have specific questions or need additional information, please contact the Office of Research and Sponsored Projects (ORSP) at or 734-764-5500 and ask to be connected with the Export Compliance Officer.

My tokencode isn't working. What could be wrong?

The following list will help you identify the problem:

  • Test your MToken to see if it is working correctly
    Go to the MToken Service Center, and click the Test Your MToken link. Follow the step-by-step process to see if your MToken is operating correctly. If it is not, contact the ITS Service Center.
  • You may have entered the same tokencode more than once
    A tokencode changes every 60 seconds and can be used only once. You must use a different tokencode every time you log into a system that requires Two-Factor Authentication. Refresh the page, wait for the numbers to change, and try again.
  • You may not have access
    You must request and be granted access to the appropriate systems using the Online Access Request System (OARS) before you will be able to log in. Once you have access, your MToken should permit you to log in.
  • Your MToken may be locked
    Contact the ITS Service Center to have your MToken reset.
  • Your MToken may be expired or broken
    MTokens work for about five years and then they must be replaced. The expiration date is visible on the back of your MToken, just above the serial number. If your MToken no longer displays a tokencode, it is either broken or expired. You can return your broken or expired MToken and receive a new one at any MToken Distribution Center.

How can I return an MToken?

If your job role changes or if your department has MTokens from staff who are no longer at the university, the MTokens should be returned. There are several ways to return MTokens that are no longer in use. Please see Returning your MToken for more.