The MIT web application you are using requires you to identify yourself via the MIT Touchstone system. You can do this by providing your Kerberos username and password, or an MIT web certificate. It is also possible to authenticate using existing Kerberos tickets under some circumstances. You may also be required to perform a second authentication step, using MIT's Duo Security two-factor authentication system. Once you have authenticated successfully, you will be able to proceed to your requested web site. If you don't have an MIT Kerberos account, read “What if I don't have a username?” below.
With MIT Touchstone, your single web login gives you access to many other web sites besides the one you initially accessed. In other words, this provides a "single sign on" solution for all Touchstone-enabled applications at MIT.
Your access to Touchstone-enabled applications should last only until you quit your browser program. Be sure to secure your identity by quitting your browser before you leave your computer. Otherwise, someone else who uses your computer during that browser session can impersonate you on the Touchstone systems - both to the sites that you are using as well as to any of the other web sites that accept MIT Touchstone as an authentication authority.
On the MIT Touchstone Login page you can identify yourself by one of three methods:
@mit.edu in your e-mail address. For more information about Kerberos usernames, read “How do I know if I have a Kerberos username and password?” below.
Once you have identified yourself using one of the above methods, you may be required to perform a second authentication step, using MIT's Duo Security two-factor authentication system, as an additional security measure. Please note that two-factor authentication will eventually be required for all MIT users. To enroll in Duo Security, please visit https://duo.mit.edu. For more information, please consult the IS&T Knowledge Base.
Many MIT computer-based systems and services share the same username/password authentication service: Kerberos. This means that a user at MIT has to keep track of only one username and password — the user's Kerberos username and password — for many systems. If you have an email account at MIT of the form username@mit.edu, then you have an MIT Kerberos username, and most likely know its password. If you are a member of the MIT community or an affiliate, you may need to complete your account registration in order to establish your Kerberos username and password. To do this and for more information regarding Kerberos, please see IS&T's page about Creating and Using Your MIT Kerberos Identity.
Although we just mentioned Kerberos as it relates to your username and password at MIT, Kerberos is also a computer network protocol. Online services that are protected by Kerberos will ask to see your Kerberos "ticket" before they will let you in. At MIT there are many native applications (in contrast to web applications) which use the Kerberos protocol for authentication. Some of these include the native clients for SAP, COEUS, and Jabber. In particular, you obtain Kerberos tickets when you log into an Athena workstation or a machine in the WIN.MIT.EDU domain.
By using this feature you will have already performed the necessary authentication when you logged into the workstation. If your browser is configured correctly, and you have set a preference to use this feature, each time you attempt to access a Touchstone-enabled application you will quickly be granted access without being prompted for any additional information.
If you do not have a Kerberos username and you are a member of the MIT community or an affiliate, then you need to register for an Athena user account. Please visit IS&T's page on Creating and Using Your MIT Kerberos Identity.
If you are not eligible for a Kerberos username, and there is no "public" version of the page or web site you were trying to access, you might not be able to get access because that MIT service is not available to the public.
MIT Touchstone-enabled applications in use today also have a collaboration account management system so that they may be used by people who do not have an MIT Kerberos username. Instead external users are encouraged to register for a Touchstone collaboration account. Users with this type of account should refer to the application-specific help pages.
Some MIT Touchstone-enabled applications also support federated authentication with partners in the InCommon Federation. Please check the documentation or help pages for the particular application to determine if the application supports users who authenticate at other InCommon identity providers.
To authenticate to MIT Touchstone, you must provide both your username and its password. If you have forgotten your username or password or need other assistance with them, please contact the IS&T Help Desk at 617.253.1101 or email helpdesk@mit.edu.
The MIT Touchstone system requires that your web browser accept "cookies," small files that web servers send to your computer. MIT Touchstone uses cookies for security and verification. Having a cookie for an MIT Touchstone web site identifies you to the site and allows you to continue from one page of the site to another without having to login each time. You can usually enable cookies in the Settings or Preferences dialog of your browser.
You must enter your username and password within 5 minutes of the MIT Touchstone page loading in your browser window. After that time has elapsed, you must re-initiate the request for the web page or service you want to access by re-entering the URL in the address bar or by returning to the original site which first asked you to authenticate. Reloading the MIT Touchstone login page will not work, as you must be directed to the MIT Touchstone login page from your original application due to technology limitations.
Denying unknown usererror on Duo authentication page:
You are required to perform Duo two-factor authentication in order to access the desired web site. To enroll in Duo, please visit https://duo.mit.edu. For more information on Duo, please consult the IS&T Knowledge Base.
