Touchstone at MIT

On this page:
Obtaining an Account
Using MIT Touchstone
Helpful Links


IS&T operates MIT Touchstone as a single sign-on web authentication service that enables members of the MIT community to login to participating MIT and federated websites. MIT users can authenticate to MIT-hosted, cloud-based, and federated Touchstone-enabled services using their MIT credentials. Certain MIT-hosted web sites also allow non-MIT users to use an existing account at a participating InCommon Federation institution, to authenticate to their services.


Users with a valid MIT Kerberos account can use either their Kerberos username and password, or current MIT X.509 certificate, to authenticate to any Touchstone-enabled application.

Non-MIT users may be able to authenticate to an MIT website with another InCommon Federation participant. Check with the website administrator or support resource to determine which types of accounts it supports.

For those MIT services supporting non-MIT users with an InCommon Federation participant account, Touchstone authentication provides an initial web page which prompts the user to select the appropriate "account provider," and thus be redirected to the login service for that provider. Users can choose to save this selection as a preference in their browser.

In all cases, users' credentials (e.g., passwords) are never passed to the application services.

Obtaining an account

  • Users with valid MIT Kerberos accounts do not need to obtain a new account. (New MIT students, staff, faculty, and affiliates must create a Kerberos account, if they have not already done so). Select the MIT Kerberos account (or MIT web certificate) option from the drop-down list on the page asking for your "account provider".
  • Non-MIT users who need to access protected MIT websites should check with the website's support resource to determine which types of accounts are supported by the application.
    • For an application supporting other InCommon Federation institutions, users from those institutions can use their existing accounts at their home institution to login. In this case, select "InCommon Federation" from the drop-down list on the page asking for your "account provider."

Using MIT Touchstone

Browser requirements
All popular modern web browsers are supported. You should enable cookies and Javascript within your browser. Cookies are used both by the Touchstone login servers and application servers to manage sessions. Javascript is required to perform Duo two-factor authentication at the Touchstone login server for MIT users. Javascript is also used to post a web form automatically from the login server back to the requesting application, though it is not strictly required for this purpose. (Some Touchstone-enabled applications may also require Javascript to be enabled in order for the application to work properly).

For security, you should also make sure to keep your browser and operating system software up to date, of course.

Selecting your account provider
Some MIT Touchstone-enabled applications allow access to protected content by non-MIT users using an account at an InCommon Federation institution. In such cases, the application needs to know which account provider, or identity provider, should be used to authenticate the user; to do this, it will either display its own web page asking the user to select the provider, or redirect to an IS&T-managed site which prompts for and remembers the selection.

When landing on the page prompting for your account provider, select one of the options in the drop-down list there:

  • For MIT users: "MIT Kerberos account (or MIT web certificate)"
  • For non-MIT users with other InCommon Federation accounts: "InCommon Federation"

Non-MIT users should check with the web site administrator or support resource to determine which types of accounts the application can support.

By default, the account provider selection made on this page is remembered for the duration of your browser session. Optionally, you can have the selection remembered permanently (or not at all). If you make an incorrect selection here (in which case you would land on the wrong login page for your account type, and thus be unable to login), you can reset your selection by restarting your browser session (unless you chose the permanent option), or visiting to make a new selection. You would then need to navigate back to the resource you were trying to access to try again.

Logging in (MIT users)
Typically, when MIT users are required to authenticate, and do not have a valid single sign-on session in their browser, they will land on a login page offering three possible authentication mechanisms:

  • MIT X.509 certificate
  • MIT Kerberos username and password
  • Kerberos tickets

To use the certificate option, you must have a valid MIT X.509 certificate installed in your browser. People using the Athena or WIN.MIT.EDU managed desktop environments, who typically maintain valid Kerberos tickets in their desktop sessions, might choose instead to use their existing Kerberos tickets. For both of these options, a checkbox is presented on the login page to use that option automatically, i.e., so that you would typically not even land on the login page, as long as you have a valid certificate or ticket available to your browser. (Some applications may require the use of username and password, however).

We provide a separate page where users can test the certificate and Kerberos tickets mechanisms, and set either as the automatic mechanism to use at login time.

Finally, for additional security, MIT users are generally required to use Duo two-factor authentication, regardless of the initial authentication mechanism used above. To enroll in MIT's Duo system, visit

The recommended way to log out of Touchstone-enabled applications is to close the browser. Since MIT Touchstone provides single sign-on across multiple applications, and does not currently support a global logout capability, there is no other way to ensure that access to protected resources is ended in a browser session.

Some applications provide a local logout capability. However, a purely local logout does not end the single sign-on session maintained by the Touchstone login server, so that if someone were to try to access a protected resource in the application in the same browser session, they would be logged in again without having to provide their credentials at the login server.

Touchstone does provide a way to terminate its single sign-on session, but this is quite limited in that it a) does not return to the site that invokes it, and b) does not affect any other application session which may have authenticated via Touchstone.

In short: The most effective and secure way to log out of a Touchstone-enabled application is to close the browser.

Problems accessing Touchstone-protected resources should be directed to the Service Desk.

Helpful links