Service Summary

Mason provides authentication services to protect Mason applications, such as Patriot Web and Banner. Authentication service provisioning is available and automatic for eligible students, faculty, and staff. Additional information and instructions for non-system administrators are available in the knowledge base.

Two-Factor Authentication (2FA)

Already enrolled in 2FA?

> 2FA Account Login

What is 2FA?

Two-factor authentication (2FA) uses two factors to verify you are who you say you are when accessing websites and services. 2FA makes your personal information less vulnerable and helps prevent anyone but you from accessing your accounts, even if they know your Patriot Pass Password.

  • The first factor (something you know) is the verification of the Mason NetID and Patriot Pass Password, and
  • The second factor (something you have) is generally a smartphone, but other options are available

Mason uses Duo Security to deliver Two-Factor Authentication (2FA) when using applications protected by Mason's Central Authentication Service (CAS) and Shibboleth (Blackboard does NOT require 2FA at this time), and the Cisco AnyConnect VPN. This second layer of protection makes your personal information and Mason’s information less vulnerable.

Two-factor Authentication (2FA) is required for all Mason employees (faculty, staff, and student workers) and students.

7-Day Remember Me Option

Select this option to bypass the request for your second factor on the same device and application for seven days.

Getting Started with 2FA

Getting Started Checklist

A phone is needed for enrollment. Select the from instructions below based on the type of phone number you will be using:

Once enrolled, you will log in to applications by entering your NetID and Patriot Pass Password (first factor) and then confirm your identity using a physical device (second factor). The physical device may be a smartphone, tablet, bypass code, or Yubikey (See the List of Authentication Options).


Service Offerings for Faculty & Staff

Two-Factor Authentication (2FA) for Office 365

Two-Factor Authentication (2FA) for Office 365 incorporates the use of the Duo 2FA tool when logging into Office 365 services, and adds an additional layer of security to all applications in employee Office 365 accounts including email, calendar, Microsoft Teams, OneDrive for Business, and Microsoft 365 Apps for Enterprise. It enables users to qualify for advanced services that are part of the Office 365 suite as they become available.

As part of this request, you will automatically be granted access to Microsoft Teams and be given the option to request access to Windows Virtual Desktop .

This service is not available for MasonLive or generic accounts.

Service Offerings for System Admins

System administrators may request authorization and authentication services for their websites and applications. All websites and applications using Active Directory Federation Services (ADFS), Central Authentication Service (CAS), Lightweight Directory Access Protocol (LDAP), or Shibboleth must be registered with ITS.

Note: Lightweight Directory Access Protocol (LDAP) is not a service that can be requested separately; instead,  Central Authentication Service (CAS) and Shibboleth use LDAP on the backend.

Active Directory Federation Services (ADFS)

Active Directory Federation Services (ADFS) provides central authentication and authorization of all users and computers that connect to MESA and desktop management services for Windows-based computers through Mason's Service Center.

Generic accounts for specialized applications or services may be created and assigned with approval by IT Security.

Central Authentication Services (CAS)

Central Authentication Service (CAS) is a single sign-on service used by a variety of Mason websites and applications to authenticate individuals. Its purpose is to permit users to access multiple sites while providing their credentials (NetID and Patriot Pass Password) only once.

CAS coupled with 2FA offers a secure environment for sensitive data.


Shibboleth (Mason Federated Login) is a single sign-on (login) system that allows users to sign in using just one identity to various systems run by federations of different organizations or institutions (oftentimes other universities or public service organizations). InCommon is the Federation currently tied into Shibboleth.