MToken FAQ

• I have questions. Where can I get answers?
• Why does the University distribute MTokens?
• Which administrative systems require that I use an MToken?
• I don't use any of the systems that require Two-Factor Authentication. How does this impact me?
• Who must have an MToken?
• I’m a faculty member, a lecturer, or graduate student instructor. Do I need an MToken? How can I get one?
• On the Weblogin page, do I need to check the box that says "I don't have an MToken?"
• How do I get my MToken?
• How do I activate my new MToken?
• What is a tokencode?
• My tokencode isn’t working. The Login Screen won’t accept my tokencode. What could be wrong?
• I'm a new administrative system user. Where can I get an MToken?
• I received an MToken for a staff member who has left the University. How can I return the MToken to you?
• Can I borrow my coworker's MToken?
• I lost my MToken. Where can I get another one?
• I can't find my MToken. I left it at home (or work) and I need to log in. What can I do?
• When are the MToken Distribution Centers open?

I have questions. Where can I get answers?

If, after reviewing this FAQ, you still have additional questions, please contact one of the MToken Distribution Centers, or send e-mail to mais.twofactorquestions@umich.edu.

Why does the University distribute MTokens?

The University does much of its business on the Web, which has advantages in terms of working efficiently. However, it also increases the risk that personal and institutional information can be compromised inadvertently, misused intentionally, or even stolen outright. It is everyone's responsibility to take steps that will protect personal information collected and stored for business purposes in administrative and departmental data systems.

Using the MToken to provide a second form of authentication, commonly referred to as Two-Factor Authentication, reduces the risk that information can be easily compromised. Individuals with access to the personal information of others in Web-based administrative and business systems need to take action to protect this information. The MToken displays a one-time tokencode (a six-digit number that changes every 60 seconds) that, when combined with your user ID (uniqname) and reusable password (UMICH Kerberos password), provides for strong authentication.

University leadership believes it is critical for everyone using the U-M computing environment to make an effort to protect the private personal information of our faculty, staff, and students that is collected and stored in the University's electronic resources. Higher education institutions have become primary targets of many hackers and identity thieves, and University IT departments are using various technologies to try to protect your data and the data of the entire University community. Using an MToken for Two-Factor Authentication is a way for individuals with access to others' personal information to help protect those resources.

Which administrative systems require that I use an MToken?

M-Pathways systems (Student Administration & Human Resource Management and Financials & Physical Resources), Faculty Business, M-Reports, the U-M Data Warehouse via BusinessObjects, and the administrative mainframe, which contains the Development/Alumni Constituency (DAC) system, are Two-Factor Authentication-enabled.

Most administrative users are required to have an MToken to successfully log in to these systems. They must enter the tokencode displayed on their MToken each time they log in.

Faculty, lecturers, and graduate student instructors who have active appointments, as well as M-Reports users in select job families, are not required to use an MToken. They must check the I don't have an MToken checkbox each time they log in.

Exception: Faculty and instructional staff who previously received an MToken are required to enter a tokencode each time they log into any Two-Factor Authentication-enabled system. To remove the M-Token requirement for faculty in this situation, submit a request to the ITS Service Center.

All other U-M Web-based systems (e.g., Student Business, Employee Business) currently require that you log in with your uniqname (User ID) and UMICH (Kerberos) password. Individual units can choose to implement Two-Factor Authentication on their internal networks and systems.

Most other U-M Web-based systems will accept Two-Factor Authentication, and for security reasons, it is recommended that when you have an MToken, you always enter a tokencode when you authenticate.

I don't use any of the systems that require Two-Factor Authentication. How does this impact me?

Most U-M online systems do not require Two-Factor Authentication at this time, so you do not need an MToken. You can ignore the MToken information on the Weblogin page; you do not need to check the box that reads don't have an MToken; and you do not need to enter a tokencode.

Who must have an MToken?

• Most administrative users are required to have an MToken to successfully log in to these systems. They must enter the tokencode displayed on their MToken each time they log in.
• Faculty, lecturers, and graduate student instructors who have an active appointment, as well as M-Reports users in select job families, are not required to use an MToken. They must check the I don't have an MToken checkbox each time they log in.
  
  
  Exception: Faculty and instructional staff who previously received an MToken are required to enter a tokencode each time they log into any Two-Factor Authentication-enabled system. To remove the M-Token requirement for faculty in this situation, submit a request to the ITS Service Center.
  
  
• U-M departments can choose to use Two-Factor Authentication to secure their systems and networks. In those cases, the departments implementing Two-Factor Authentication will distribute MTokens to appropriate staff.

Individuals with an MToken can use it to log into any system accepting Two-Factor Authentication when they have the appropriate access.

I'm a faculty member, a lecturer, or graduate student instructor. Do I need an MToken? How can I get one?

The University encourages instructional staff to use an MToken for Two-Factor Authentication. Protecting students' private personal information is vitally important to the mission of the University. Two-Factor Authentication provides a stronger authentication method than the traditional single-factor method, which requires just a password. Using it to authenticate enhances the security for U-M Web-based electronic resources and reduces the risk that business or personal information stored in administrative systems will be compromised.

Faculty, lecturers, and graduate student instructors who have an active appointment are not required to use an MToken. They must check the I don't have an MToken checkbox each time they log in.

Exception: Faculty and instructional staff who previously received an MToken are required to enter a tokencode each time they log into any Two-Factor Authentication-enabled system. To remove the M-Token requirement for faculty in this situation, submit a request to the ITS Service Center.

If you choose to use an MToken, you can get one by visiting one of the MToken Distribution Centers. Support staff can also pick-up an MToken for faculty.

On the Weblogin page, do I need to check the box that says " I don't have an MToken?"

Although an MToken is not required for access to Faculty Business, instructional staff with access to Faculty Business functionality (e.g., class rosters, grade rosters, Web grades) must check the I don't have an MToken checkbox each time they log in.

All others (e.g., students, employees who only use Employee Business,etc.) should ignore the MToken information.

How do I get my MToken?

If you have access to a system that requires Two-Factor Authentication, you can obtain an MToken at an MToken Distribution Center. You need to provide your MCard to obtain your MToken.

Faculty, lecturers, and graduate student instructors who choose to use an MToken can get one from an MToken Distribution Center. Support staff can also pick up an MToken for faculty.

Important: Do not initiate the activation process until you have an MToken.

How do I activate my new MToken?

Activating an MToken is an easy process that takes only a few minutes to complete. A procedure for activating your MToken is available, and the MTSC Tour demonstrates how to activate your MToken.

Important: Do not initiate the activation process until you have an MToken.

You should complete the Q & A Authentication Questionnaire immediately after activating your MToken. Your answers to the questions will be used to validate your identity and will enable you to request a temporary static tokencode from the MToken Service Center Web site. The Request an Emergency Tokencode Tour describes how to request a temporary tokencode for emergency access.

What is a tokencode?

A tokencode is the 6 digit number displayed on an MToken. It can be used only once and must be typed into the Weblogin page with your uniqname (User ID) and UMICH (Kerberos) password.

My tokencode isn't working. The Login Screen won't accept my tokencode. What could be wrong?

The following list will help you identify the problem:

• You may have entered the same tokencode more than once
  A tokencode changes every 60 seconds and can be used only once. You must use a different tokencode every time you log into a system that requires Two-Factor Authentication.
• You may have locked your MToken
  Contact an MToken administrator for assistance.
• You can test your MToken to see if it is working correctly.
  Go to the MToken Service Center, and click the Test Your MToken link. Follow the step-by-step process to see if your MToken is operating correctly. If it is not, contact an MToken administrator.
• Your MToken may be expired or broken
  MTokens work for about five years, and then they must be replaced. If your MToken no longer displays a tokencode, it is either broken or expired. You can return your broken or expired MToken and receive a new one at an MToken Distribution Center.

I am a new administrative system user. Where can I get an MToken?

You can obtain an MToken at one of the MToken Distribution Centers on your campus.

I have an MToken that belonged to a staff member who has left the University. How can I return the MToken?

There are several ways to return MTokens for staff who are no longer at the University:

• Return the MToken to ITS, 2019 Administrative Services Bldg, Campus Zip 1432.
• Return the MToken to any MToken Distribution Center.
• Place the MToken in its original packaging and drop it in any campus mailbox.

Can I borrow my coworker's MToken?

You cannot use anyone else's MToken. Your MToken is assigned to you and will work only with your uniqname and password.

I lost my MToken. Where can I get another one?

You can replace your lost, broken, or expired MToken at any MToken Distribution Center. If you have lost or broken your MToken, there may be a replacement charge.

I can't find my MToken. I left it at home (or work) and I need to log in. What can I do?

If you need to work in an administrative system that requires you to use an MToken and you don't have it with you, you can request a temporary static tokencode. A temporary static tokencode can be used repeatedly to log into an administrative system that requires a tokencode until 9:00 a.m. the morning following your request.

• To request a temporary static tokencode via the Web, you must have completed the Q & A Authentication Questionnaire. Take time to answer the three questions when you activate your MToken so this service will be available to you even if the Help Desks are closed. The answers to the questions will be used to validate your identity and will enable you to request a temporary static tokencode from the MToken Service Center Web site. The Q&A Setup Tour describes how to setup your Q&A for emergency access.
• To request a temporary static tokencode from an MToken administrator, contact and MToken Help Desk or MToken Distribution Center during their regular business hours.

When are the MToken Distribution Centers open?

View the MToken Help Desk and Distribution Center Web page for locations and hours of operation.