Multi-Factor Authentication
Users of U-M systems containing sensitive university data are required to use multi-factor authentication for increased security.
- Multi-Factor Authentication (Okta Verify)
Multi-factor Authentication (MFA) involves combining more than one authentication type and provides a stronger assurance of the person’s identity. In 2026, U-M is transitioning to Okta for multi-factor authentication (MFA) to improve the security of U-M systems, protect university accounts, and enhance the sign-in experience with new capabilities including passwordless sign-in options. - Two-Factor Authentication (Duo)
Use of Duo is in containment as of February 26, 2025. Okta will be used going forward as the MFA service for U-M. All remaining use of Duo will migrate to Okta during the 2026 calendar year.
Single Sign On
- Single Sign-On SSO with Okta
Okta will be used as the SSO service for U-M to allow people to log in to U-M web resources. Okta provides all similar integration protocols as Shibboleth, such as SAML and OIDC. - Shibboleth at U-M
Use of Shibboleth is in containment as of February 26, 2025.
Other Authentication and Authorization Services
- Active Directory (UMROOT)
Active Directory (UMROOT) authentication is used when accessing a number of U-M services, including MWireless, MiWorkstation computers, and more. - Kerberos at U-M
Kerberos is used for authentication (to validate that you are who you say you are) when logging in to many services and systems at U-M. Going forward, the university will move toward use of single sign-on authentication options such as Shibboleth rather than using Kerberos directly. - Social Login at U-M
Social login can be implemented to allow guest access. It can allow people who do not have or use a uniqname and UMICH password to log in to a service at U-M using a social account (such as Facebook, LinkedIn, or others). See Implementing Social Login for U-M Services.