diff --git a/docker-compose.yml b/docker-compose.yml
index 1e3187a1..353b6072 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: "3.1"
 # This is just an example that shows the relationships between the auth2 image
 # and other services. Many of these things would be overidden in the actual
 # deployment docker-compose file - for example, the name of the mongodb instance
diff --git a/src/main/java/us/kbase/auth2/service/common/ExternalToken.java b/src/main/java/us/kbase/auth2/service/common/ExternalToken.java
index 363a0c55..0a5a703a 100644
--- a/src/main/java/us/kbase/auth2/service/common/ExternalToken.java
+++ b/src/main/java/us/kbase/auth2/service/common/ExternalToken.java
@@ -3,6 +3,7 @@
 import static java.util.Objects.requireNonNull;
 
 import java.util.Map;
+import java.util.Objects;
 
 import us.kbase.auth2.lib.token.StoredToken;
 
@@ -17,6 +18,7 @@ public class ExternalToken {
 	private final String name;
 	private final String user;
 	private final Map<String, String> custom;
+	private final String mfa;
 
 	public ExternalToken(final StoredToken storedToken) {
 		requireNonNull(storedToken, "storedToken");
@@ -28,11 +30,16 @@ public ExternalToken(final StoredToken storedToken) {
 		expires = storedToken.getExpirationDate().toEpochMilli();
 		created = storedToken.getCreationDate().toEpochMilli();
 		custom = storedToken.getContext().getCustomContext();
+		mfa = storedToken.getMFA().getDescription();
 	}
 
 	public String getType() {
 		return type;
 	}
+	
+	public String getMfa() { // method name must be Lowercase or templates don't work
+		return mfa;
+	}
 
 	public String getId() {
 		return id;
@@ -60,71 +67,25 @@ public Map<String, String> getCustom() {
 
 	@Override
 	public int hashCode() {
-		final int prime = 31;
-		int result = 1;
-		result = prime * result + (int) (created ^ (created >>> 32));
-		result = prime * result + ((custom == null) ? 0 : custom.hashCode());
-		result = prime * result + (int) (expires ^ (expires >>> 32));
-		result = prime * result + ((id == null) ? 0 : id.hashCode());
-		result = prime * result + ((name == null) ? 0 : name.hashCode());
-		result = prime * result + ((type == null) ? 0 : type.hashCode());
-		result = prime * result + ((user == null) ? 0 : user.hashCode());
-		return result;
+		return Objects.hash(created, custom, expires, id, mfa, name, type, user);
 	}
 
 	@Override
 	public boolean equals(Object obj) {
-		if (this == obj) {
+		if (this == obj)
 			return true;
-		}
-		if (obj == null) {
+		if (obj == null)
 			return false;
-		}
-		if (getClass() != obj.getClass()) {
+		if (getClass() != obj.getClass())
 			return false;
-		}
 		ExternalToken other = (ExternalToken) obj;
-		if (created != other.created) {
-			return false;
-		}
-		if (custom == null) {
-			if (other.custom != null) {
-				return false;
-			}
-		} else if (!custom.equals(other.custom)) {
-			return false;
-		}
-		if (expires != other.expires) {
-			return false;
-		}
-		if (id == null) {
-			if (other.id != null) {
-				return false;
-			}
-		} else if (!id.equals(other.id)) {
-			return false;
-		}
-		if (name == null) {
-			if (other.name != null) {
-				return false;
-			}
-		} else if (!name.equals(other.name)) {
-			return false;
-		}
-		if (type == null) {
-			if (other.type != null) {
-				return false;
-			}
-		} else if (!type.equals(other.type)) {
-			return false;
-		}
-		if (user == null) {
-			if (other.user != null) {
-				return false;
-			}
-		} else if (!user.equals(other.user)) {
-			return false;
-		}
-		return true;
+		return created == other.created
+				&& Objects.equals(custom, other.custom)
+				&& expires == other.expires
+				&& Objects.equals(id, other.id)
+				&& Objects.equals(mfa, other.mfa)
+				&& Objects.equals(name, other.name)
+				&& Objects.equals(type, other.type)
+				&& Objects.equals(user, other.user);
 	}
 }
diff --git a/src/test/java/us/kbase/test/auth2/service/ServiceTestUtils.java b/src/test/java/us/kbase/test/auth2/service/ServiceTestUtils.java
index 3ffc9c4c..a8d713c4 100644
--- a/src/test/java/us/kbase/test/auth2/service/ServiceTestUtils.java
+++ b/src/test/java/us/kbase/test/auth2/service/ServiceTestUtils.java
@@ -233,6 +233,7 @@ public static void checkReturnedToken(
 		
 		assertThat("incorrect token context", uitoken.get("custom"), is(customContext));
 		assertThat("incorrect token type", uitoken.get("type"), is(type.getDescription()));
+		assertThat("incorrect mfa", uitoken.get("mfa"), is(mfa.getDescription()));
 		final long created = (long) uitoken.get("created");
 		TestCommon.assertCloseToNow(created);
 		assertThat("incorrect expires", uitoken.get("expires"),
diff --git a/src/test/java/us/kbase/test/auth2/service/api/TestModeIntegrationTest.java b/src/test/java/us/kbase/test/auth2/service/api/TestModeIntegrationTest.java
index f2a61abf..844abfa0 100644
--- a/src/test/java/us/kbase/test/auth2/service/api/TestModeIntegrationTest.java
+++ b/src/test/java/us/kbase/test/auth2/service/api/TestModeIntegrationTest.java
@@ -190,7 +190,7 @@ public void createAndGetToken() {
 				ImmutableMap.of("user", "whee", "display", "whoo")));
 		assertThat("user create failed", ures.getStatus(), is(200));
 		
-		final Map<String, Object> response = createToken("whee", "Login", "foo", "Used");
+		final Map<String, Object> response = createToken("whee", "Login", "foo", "NotUsed");
 		
 		final long created = (long) response.get("created");
 		response.remove("created");
@@ -205,6 +205,7 @@ public void createAndGetToken() {
 		
 		final Map<String, Object> expected = new HashMap<>();
 		expected.put("type", "Login");
+		expected.put("mfa", "NotUsed");
 		expected.put("name", "foo");
 		expected.put("user", "whee");
 		expected.put("custom", Collections.emptyMap());
diff --git a/src/test/java/us/kbase/test/auth2/service/api/TestModeTest.java b/src/test/java/us/kbase/test/auth2/service/api/TestModeTest.java
index 40947ba3..428d6466 100644
--- a/src/test/java/us/kbase/test/auth2/service/api/TestModeTest.java
+++ b/src/test/java/us/kbase/test/auth2/service/api/TestModeTest.java
@@ -319,7 +319,6 @@ public void createTokenNoName() throws Exception {
 				.thenReturn(new NewToken(StoredToken.getBuilder(
 						TokenType.DEV, uuid, new UserName("foo"))
 						.withLifeTime(Instant.ofEpochMilli(10000), Instant.ofEpochMilli(20000))
-						.withMFA(MFAStatus.UNKNOWN)
 						.build(),
 						"a token"));
 		
@@ -333,7 +332,7 @@ TokenType.DEV, uuid, new UserName("foo"))
 			final NewAPIToken expected = new NewAPIToken(new NewToken(StoredToken.getBuilder(
 					TokenType.DEV, uuid, new UserName("foo"))
 					.withLifeTime(Instant.ofEpochMilli(10000), Instant.ofEpochMilli(20000))
-					.withMFA(MFAStatus.USED)
+					.withMFA(MFAStatus.UNKNOWN)
 					.build(),
 					"a token"), 30000L);
 			
@@ -367,6 +366,7 @@ TokenType.AGENT, uuid, new UserName("foo"))
 				TokenType.AGENT, uuid, new UserName("foo"))
 				.withLifeTime(Instant.ofEpochMilli(10000), Instant.ofEpochMilli(20000))
 				.withTokenName(new TokenName("whee"))
+				.withMFA(MFAStatus.USED)
 				.build(),
 				"a token"), 30000L);
 		
@@ -438,6 +438,7 @@ public void getToken() throws Exception {
 		when(auth.testModeGetToken(new IncomingToken("a token"))).thenReturn(
 				StoredToken.getBuilder(TokenType.DEV, uuid, new UserName("foo"))
 						.withLifeTime(Instant.ofEpochMilli(10000), Instant.ofEpochMilli(30000))
+						.withMFA(MFAStatus.NOT_USED)
 						.build());
 		
 		when(auth.getSuggestedTokenCacheTime()).thenReturn(40000L);
@@ -447,6 +448,7 @@ public void getToken() throws Exception {
 		final APIToken expected = new APIToken(StoredToken.getBuilder(
 				TokenType.DEV, uuid, new UserName("foo"))
 				.withLifeTime(Instant.ofEpochMilli(10000), Instant.ofEpochMilli(30000))
+				.withMFA(MFAStatus.NOT_USED)
 				.build(),
 				40000);
 		
diff --git a/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java b/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java
index 0e449f99..1eea37fc 100644
--- a/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java
+++ b/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java
@@ -151,6 +151,7 @@ TokenType.AGENT, id, new UserName("foo"))
 				.withTokenName(new TokenName("bar"))
 				.withContext(TokenCreationContext.getBuilder()
 						.withCustomContext("whee", "whoo").build())
+				.withMFA(MFAStatus.USED)
 				.build(), it.getHashedToken().getTokenHash());
 		
 		final URI target = UriBuilder.fromUri(host).path("/api/V2/token").build();
@@ -168,6 +169,7 @@ TokenType.AGENT, id, new UserName("foo"))
 		
 		final Map<String, Object> expected = MapBuilder.<String, Object>newHashMap()
 				.with("type", "Agent")
+				.with("mfa", "Used")
 				.with("id", id.toString())
 				.with("created", 10000)
 				.with("expires", 1000000000000000L)
diff --git a/src/test/java/us/kbase/test/auth2/service/common/ExternalTokenTest.java b/src/test/java/us/kbase/test/auth2/service/common/ExternalTokenTest.java
index 48b5111a..1b024e32 100644
--- a/src/test/java/us/kbase/test/auth2/service/common/ExternalTokenTest.java
+++ b/src/test/java/us/kbase/test/auth2/service/common/ExternalTokenTest.java
@@ -14,6 +14,7 @@
 import nl.jqno.equalsverifier.EqualsVerifier;
 import us.kbase.auth2.lib.TokenCreationContext;
 import us.kbase.auth2.lib.UserName;
+import us.kbase.auth2.lib.token.MFAStatus;
 import us.kbase.auth2.lib.token.StoredToken;
 import us.kbase.auth2.lib.token.TokenName;
 import us.kbase.auth2.lib.token.TokenType;
@@ -46,6 +47,7 @@ TokenType.AGENT, id, new UserName("foo"))
 		assertThat("incorrect name", et.getName(), is("bar"));
 		assertThat("incorrect custom context", et.getCustom(),
 				is(ImmutableMap.of("whee", "whoo")));
+		assertThat("incorrect MFA", et.getMfa(), is("Unknown"));
 	}
 	
 	@Test
@@ -56,6 +58,7 @@ TokenType.AGENT, id, new UserName("foo"))
 				.withLifeTime(Instant.ofEpochMilli(10000), 15000)
 				.withContext(TokenCreationContext.getBuilder()
 						.withCustomContext("whee", "whoo").build())
+				.withMFA(MFAStatus.USED)
 				.build());
 		
 		assertThat("incorrect type", et.getType(), is("Agent"));
@@ -66,6 +69,7 @@ TokenType.AGENT, id, new UserName("foo"))
 		assertThat("incorrect name", et.getName(), is((String) null));
 		assertThat("incorrect custom context", et.getCustom(),
 				is(ImmutableMap.of("whee", "whoo")));
+		assertThat("incorrect MFA", et.getMfa(), is("Used"));
 	}
 	
 	@Test
diff --git a/src/test/java/us/kbase/test/auth2/service/ui/TokensTest.java b/src/test/java/us/kbase/test/auth2/service/ui/TokensTest.java
index 5f64fa01..fe426485 100644
--- a/src/test/java/us/kbase/test/auth2/service/ui/TokensTest.java
+++ b/src/test/java/us/kbase/test/auth2/service/ui/TokensTest.java
@@ -154,6 +154,7 @@ public void getTokensMinimalInput() throws Exception {
 				.with("service", false)
 				.with("current", MapBuilder.newHashMap()
 						.with("type", "Login")
+						.with("mfa", "Unknown")
 						.with("id", id)
 						.with("expires", 1000000000010000L)
 						.with("created", 10000)
@@ -200,6 +201,7 @@ public void getTokensMaximalInput() throws Exception {
 						.withNullableDevice("dev")
 						.withNullableOS("o", "osv")
 						.build())
+				.withMFA(MFAStatus.USED)
 				.build(),
 				token.getHashedToken().getTokenHash());
 		
@@ -211,6 +213,7 @@ public void getTokensMaximalInput() throws Exception {
 						.withNullableAgent("ag2", "agv2")
 						.withNullableDevice("dev2")
 						.build())
+				.withMFA(MFAStatus.NOT_USED)  // this should never happen for an agent token fwiw
 				.build(),
 				"somehash");
 		
@@ -256,6 +259,7 @@ public void getTokensMaximalInput() throws Exception {
 				.with("service", true)
 				.with("current", MapBuilder.newHashMap()
 						.with("type", "Login")
+						.with("mfa", "Used")
 						.with("id", id)
 						.with("expires", 1000000000010000L)
 						.with("created", 10000)
@@ -272,6 +276,7 @@ public void getTokensMaximalInput() throws Exception {
 				.with("tokens", Arrays.asList(
 						MapBuilder.newHashMap()
 								.with("type", "Developer")
+								.with("mfa", "Unknown")
 								.with("id", id3)
 								.with("expires", 3000000000030000L)
 								.with("created", 30000)
@@ -287,6 +292,7 @@ public void getTokensMaximalInput() throws Exception {
 								.build(),
 						MapBuilder.newHashMap()
 								.with("type", "Agent")
+								.with("mfa", "NotUsed")
 								.with("id", id2)
 								.with("expires", 2000000000020000L)
 								.with("created", 20000)
diff --git a/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMaximalInput.testdata b/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMaximalInput.testdata
index 193a2fe1..c4189c92 100644
--- a/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMaximalInput.testdata
+++ b/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMaximalInput.testdata
@@ -19,6 +19,7 @@ Expiration and creation dates are in milliseconds from the epoch.
 Name: wugga<br/>
 ID: edc1dcbb-d370-4660-a639-01a72f0d578a<br/>
 Type: Login<br/>
+MFA: Used<br/>
 Created: 10000<br/>
 Expires: 1000000000010000<br/>
 OS: o osv<br/>
@@ -31,6 +32,7 @@ Custom: {foo&#61;bar}<br/>
 Name: whee<br/>
 ID: 653cc5ce-37e6-4e61-ac25-48831657f257<br/>
 Type: Developer<br/>
+MFA: Unknown<br/>
 Created: 30000<br/>
 Expires: 3000000000030000<br/>
 OS:  <br/>
@@ -44,6 +46,7 @@ Custom: {}<br/>
 <br/>
 ID: 8351a73a-d4c7-4c00-9a7d-012ace5d9519<br/>
 Type: Agent<br/>
+MFA: NotUsed<br/>
 Created: 20000<br/>
 Expires: 2000000000020000<br/>
 OS:  <br/>
diff --git a/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMinimalInput.testdata b/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMinimalInput.testdata
index 728b30d3..4dac8b67 100644
--- a/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMinimalInput.testdata
+++ b/src/test/resources/us/kbase/test/auth2/service/ui/TokensTest_getTokensMinimalInput.testdata
@@ -11,6 +11,7 @@ Expiration and creation dates are in milliseconds from the epoch.
 <h3>Current token:</h3>
 ID: edc1dcbb-d370-4660-a639-01a72f0d578a<br/>
 Type: Login<br/>
+MFA: Unknown<br/>
 Created: 10000<br/>
 Expires: 1000000000010000<br/>
 OS:  <br/>
diff --git a/templates/admintoken.mustache b/templates/admintoken.mustache
index de34b1d0..1190d552 100644
--- a/templates/admintoken.mustache
+++ b/templates/admintoken.mustache
@@ -9,6 +9,7 @@ Name: {{name}}<br/>
 {{/name}}
 ID: {{id}}<br/>
 Type: {{type}}<br/>
+MFA: {{mfa}}<br/>
 Created: {{created}}<br/>
 Expires: {{expires}}<br/>
 OS: {{os}} {{osver}}<br/>
diff --git a/templates/adminusertokens.mustache b/templates/adminusertokens.mustache
index dd41c2bd..a2b76ab0 100644
--- a/templates/adminusertokens.mustache
+++ b/templates/adminusertokens.mustache
@@ -15,6 +15,7 @@ Name: {{name}}<br/>
 {{/name}}
 ID: {{id}}<br/>
 Type: {{type}}<br/>
+MFA: {{mfa}}<br/>
 Created: {{created}}<br/>
 Expires: {{expires}}<br/>
 OS: {{os}} {{osver}}<br/>
diff --git a/templates/tokens.mustache b/templates/tokens.mustache
index ffe0a907..f573e45b 100644
--- a/templates/tokens.mustache
+++ b/templates/tokens.mustache
@@ -26,6 +26,7 @@ Name: {{name}}<br/>
 {{/name}}
 ID: {{id}}<br/>
 Type: {{type}}<br/>
+MFA: {{mfa}}<br/>
 Created: {{created}}<br/>
 Expires: {{expires}}<br/>
 OS: {{os}} {{osver}}<br/>
@@ -42,6 +43,7 @@ Name: {{name}}<br/>
 {{/name}}
 ID: {{id}}<br/>
 Type: {{type}}<br/>
+MFA: {{mfa}}<br/>
 Created: {{created}}<br/>
 Expires: {{expires}}<br/>
 OS: {{os}} {{osver}}<br/>