Prove it’s you! MFA-Duo FAQs for students

Here are important questions and answers for UW–‍Madison undergrads and grad students about using MFA-Duo. If you need more info after looking through these FAQs, try the UW–⁠Madison KnowledgeBase MFA Duo topic.

What is it and how will it affect me?

This is an accordion element with a series of buttons that open and close related content panels.

What is multi-factor authentication?

Multi-Factor Authentication (MFA) adds an extra layer of security to your NetID login process. It combines something you know (your NetID and password) with something you have (smartphone, token/fob) to verify your identity. This extra step helps to protect both your online identity and UW–‍Madison digital assets.

Universities of Wisconsin mandates required that UW–‍Madison implement a multi-factor authentication system across campus. After an RFP was concluded in 2017, industry-standard Duo Security was selected. Other higher-education institutions Duo serves include Harvard, Michigan, Villanova, Syracuse, University of South Florida and more. Duo has worked well for these institutions.

Learn more about UW–‍Madison’s implementation of multi-factor authentication.

How is multi-factor authentication being used at UW–‍Madison?

UW–‍Madison has implemented MFA Duo for the central login service, NetID Login (used by MyUW, O365, Google, Box etc.). It may also being implemented in other systems using non-NetID logins.

Who is eligible to use multi-factor authentication?

All UW–⁠Madison faculty and staff and students are required to use Duo for multi-factor authentication as licensed populations.  If you have questions please contact the DoIT Help Desk.

How does multi-factor authentication affect me?

Chances are you are already using multi-factor authentication to log into your financial institution or social media. This second layer of protection combines something you know (your NetID and password) with something you have (smartphone or token/fob), preventing anyone but you from logging into a system.

UW–‍Madison has partnered with Duo to provide this service. You will now need to log in by:

  1. Entering your NetID and password, and
  2. Confirming your identity with the Duo app on your device or by entering the six-digit code from your token/fob.

By using the multi-factor authentication app (by Duo) on my personal device, will my personal communications or data be subject to Wisconsin’s Public Records Law or be subject to a subpoena request?

The contents of strictly personal communications (texts, emails, voice messages) or data are not subject to the Wisconsin Public Records Law simply by using the app to verify your identity. Strictly personal means that it is not related to university business. If you were using your personal device to conduct university business (such as responding to emails, texting a colleague about a work-related issue or leaving or receiving voice messages on work related subjects, or accessing UW–‍Madison digital assets) those communications which relate to university business could be subject to the Wisconsin Public Records Law or could be the subject of a university-related subpoena. The contents of your personal communications that do NOT involve university business would not be subject to the Wisconsin Public Records law or to a university-related subpoena for university business records.

What data does Duo Mobile collect from my smartphone?

Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.

Other than NetID-protected tools and sites, what else is multi-factor authentication going to be used for?

In future phases, we intend on using multi-factor authentication to help protect operating systems, databases and other areas. However, we expect that a limited number of individuals will be impacted by these changes.

How will MFA-Duo affect mail clients that don't support MFA (e.g. desktop version of Thunderbird or the Android version of the K-9 mail client)?

Currently, we’re allowing mail protocols such as POP and IMAP that do not require MFA. Campus is working on a plan for retiring or supplementing these protocols to reduce their vulnerability to exploit by compromised accounts.

What are the educational impacts of students using MFA-Duo in the classroom?

This is an accordion element with a series of buttons that open and close related content panels.

What happens if my instructor doesn't allow students to use smartphones or laptops in the classroom?

If students are not permitted to use technology (e.g. laptops, smartphones) in the classroom, then MFA-Duo will not affect students as they will not need to authenticate with MFA-Duo.

If your instructor allows technology, then students will need a brief (5-10 second) interaction with their smartphone. Your instructor determines classroom policies regarding authenticating to MFA-Duo. They may suggest:

  1. All students authenticate prior to class starting.
  2. Announce at the beginning of class that students should authenticate and then put their cell smartphones or token/fobs away.

How will MFA-Duo impact students who take online quizzes and exams during class?

  1. If the website students use to take the quiz or exam is not behind a NetID website, then they won’t need to authenticate with MFA-Duo.
  2. If the website is behind a NetID website (like Canvas), then your instructor may request that all students authenticate to Canvas prior to class starting, or announce it before the quiz/exam begins, and then put your smartphones (or token/fobs) away before ever opening the actual quiz/exam.

What if I forget my device and I need to take on online quiz in class?

If a student has logged in to their browser and clicked “remember me” and is using the same laptop and browser they would use in class, they shouldn’t have any issues.

  1. To avoid this situation, plan ahead and generate backup codes for future use
  2. Set up your NetID security questions – in advance so you can request a temporary passcode online. This may result in some lost time on your quiz/exam.
  3. You can contact the DoIT HelpDesk (264-HELP), verify your identity and receive a temporary passcode that is valid for 12 hours. This may result in some lost time on your quiz/exam.

How do I enroll?

This is an accordion element with a series of buttons that open and close related content panels.

What is the easiest way to use multi-factor authentication?

The easiest way to use multi-factor authentication is on your smartphone (you can also use a token/fob or security key). In order to use multi-factor authentication, you must first download the Duo app on your device (e.g. smartphone, iPad) or request a token/fob (which will generate a six-digit passcode) to use for authentication. You can enroll at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW. If you have questions, see first time setup for smartphone or tablet or how to register a token/fob.

What if I don't have a smartphone for multi-factor authentication?

No worries. If you don’t own a smartphone, there are other MFA-Duo device options available. The token/fob will generate a six-digit passcode which you enter during the NetID login process. Students can get one free token or security key, by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

For more information see KB: MFA-Duo – What is a token/fob?

What is a token/fob?

A security token (also referred to as a hardware token, fob, or keyfob) is a small hardware device carried by a user to authorize access to a network service. It generates a unique six-digit number (also called a passcode) that identifies the user and allows them to access UW–‍Madison digital assets. For more information see KB: MFA-Duo: What is a token/fob?

Duo token

How do I use my token/fob?

You generate a six-digit passcode by pushing the green button on your token/fob.

Duo token

You enter the six-digit passcode in the Multi-Factor Authentication portal to verify your identity to access network services.

 

Who pays for the tokens/fobs?

Students can get one free token or security key by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

What is a passcode and how is it used?

A passcode is a six-digit code that you generate by pushing the down arrow located on the left hand side of your Duo Mobile app on your smartphone or by pushing the button on your token/fob. You enter the passcode in the Duo Device Management portal to verify your identity to access network services. You can generate a passcode on your smartphone, even if you do not have cellular or wireless (Wi-Fi) service.

For more information see MFA-Duo – Logging in with multi-factor authentication

How do I add a device?

You may add additional devices to your Duo account for UW–‍Madison multi-factor authentication once the initial setup has been complete. Get instructions on adding a device or registering a token/fob. You can add or remove a device at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW.

How do I remove an old device?

When you no longer are in possession of a device, you should remove it from your authorized login devices to prevent another person from requesting a phone number from a phone company that may be your old phone number. See instructions on removing a device. You can add or remove a device at mfa.wisc.edu or through the multi-factor authentication app in MyUW.

Where do I go to get help?

How do I use it?

This is an accordion element with a series of buttons that open and close related content panels.

How do I login with multi-factor authentication?

What happens if I don't have my device with me?

You have three options available to you.

  1. Obtain a temporary passcode by calling the DoIT Help Desk at 608-264-HELP (4357). You will be asked some security questions to verify your identity.
  2. Set up your NetID security questions – in advance, then Request a temporary passcode at https://login.wisc.edu/duo-recovery.  Your temporary passcode expires after 12 hour
  3. Plan ahead and generate backup codes for future use.

What if the passcode generated by my token/fob doesn't work?

When holding the token/fob, be sure the green button is on the left to make sure you’re not entering numbers that are upside down.

Duo Digipass Go 6 token

How many times can I try to authenticate before my account gets locked?

After 100 times successive failures to authenticate, your account will be locked for 30 minutes.

Why isn't the login/push notification working on my Android or iPhone?

Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app. Follow the instructions for Android devices or iPhones.

What is the best way to use MFA-Duo when traveling?

You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service.

  • Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
  • Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.

Please refer to MFA-Duo – What is the best way to use MFA-Duo when traveling?

How can I authenticate if I need to change my SIM card?

Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone’s hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/wi-fi service).

To generate a passcode:

  • Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
  • Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.

What if I don't have cellular or wireless (Wi-Fi) service on my smartphone?

If you’re in a location where you can’t get cellular or wireless (Wi-Fi) service, you can request a single-use passcode directly from the Duo Mobile app.

  • Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
  • Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.

Please refer to MFA-Duo – What is the best way to use MFA-Duo when traveling?

Do I need to authenticate with Duo every time I log in?

If “Remember Me” is selected when initially authenticating via Duo, you won’t need to re-authenticate with Duo again for 12 hours (if you sign in using the same browser in which you authenticated). If you choose to use several browsers during the day, you will need to authenticate in each of those browsers and make the choice on selecting the “Remember Me” option. There are some applications (e.g. VoIP, which may ask you to re-authenticate, but we are working to remove that requirement from the authentication process).

Get details on this topic in the KnowledgeBase

The "Remember me for 12 hours" option is grayed out. How can I activate it?

If you set the MFA-Duo authentication method default to automatically send a push, you will need to disable this setting before activating the “Remember me for 12 hours” option. Here’s how:

  1. Click cancel on your push request.
  2. Check the “Remember me for 12 hours” box.
  3. Authenticate using one of the following options:
    1. Generate a passcode by clicking the down arrow (located in the upper right-hand corner on the Duo app on your smartphone) or by pressing the green button on your token/fob.  Enter the six-digit passcode in the Multi-Factor Authentication portal,  or
    2. Click Send Me a Push in the Multi-Factor Authentication portal. Go to the Duo app on your smartphone or tablet and Accept the push.
  4. If you have questions, please contact the DoIT Help Desk.

Do I need to use MFA-Duo to login to my workstation?

Not currently, though some systems will require this in the future.