University of Wisconsin–Madison


What is it and how will it affect me?

  • What is multi-factor authentication?

    Multi-Factor Authentication (MFA) adds an extra layer of security to your NetID login process. It combines something you know (your NetID and password) with something you have (smartphone, token/fob) to verify your identity. This extra step helps to protect both your online identity and UW–Madison digital assets.

    UW System has mandated that UW–Madison implement a multi-factor authentication system across campus. After an RFP was concluded in 2017, industry-standard Duo Security was selected. Other higher-education institutions Duo serves include Harvard, Michigan, Villanova, Syracuse, University of South Florida and more. Duo has worked well for these institutions.

    Learn more about UW–Madison’s implementation of multi-factor authentication.

  • How is multi-factor authentication being used at UW–Madison?

    UW–Madison is implementing MFA Duo for the central login service, NetID Login (used by MyUW, O365, etc.). It may also being implemented in other systems using non-NetID logins.

  • Who is eligible to use multi-factor authentication?

    All UW–⁠Madison faculty and staff are eligible to use Duo for multi-factor authentication as licensed populations. If you have specific questions about non-UW staff working in your unit — e.g., consultants — contact your implementation partner.

  • How will multi-factor authentication impact former employees, retirees, and emeriti?

    Multi-factor authentication (MFA) will only be required for current employees. As soon as your current position ends and you are no longer have an active appointment in the Human Resource System (HRS) you will not be eligible for, or required to use, multi-factor authentication. Since MFA is implemented on a per UDDS basis, as soon as you are no longer in your department’s UDDS, you will no longer be required to use MFA. (Note: Individuals may be required to use MFA after retirement until they have exhausted their banked vacation or sabbatical leave because they remain in their department’s UDDS during this time.)

    You will be able to access the digital assets that you’re permitted to use based on your retiree role (former employee, retiree or emeriti). For example, retirees or emeriti could still access library resources by logging in with their NetID and password without having to use multi-factor authentication.

  • How does multi-factor authentication affect me?

    Chances are you are already using multi-factor authentication to log into your bank or Google. This second layer of protection combines something you know (your NetID and password) with something you have (smartphone or token/fob), preventing anyone but you from logging into a system.

    UW–Madison has partnered with Duo to provide this service. You will now need to log in by:

    1. Entering your NetID and password, and
    2. Confirming your identity with the Duo app on your device or by entering the six-digit code from your token/fob.
  • When will my school/college/unit start using multi-factor authentication?

    We’re working with the leadership of each school/college/unit in order to determine an optimal time for transitioning an area over to multi-factor authentication. Leadership in those areas will communicate the timeline to their faculty and staff. Additionally, in order to properly support the transition, we need to have transitions spread out. All staff and faculty are expected to be moved by the end of Feb 2019.

    Get all the details: Find your implementation partner.

  • By using the multi-factor authentication app (by Duo) on my personal device, will my personal communications or data be subject to Wisconsin’s Public Records Law or be subject to a subpoena request?

    The contents of strictly personal communications (texts, emails, voice messages) or data are not subject to the Wisconsin Public Records Law simply by using the app to verify your identity. Strictly personal means that it is not related to university business. If you were using your personal device to conduct university business (such as responding to emails, texting a colleague about a work-related issue or leaving or receiving voice messages on work related subjects, or accessing UW–Madison digital assets) those communications which relate to university business could be subject to the Wisconsin Public Records Law or could be the subject of a university-related subpoena. The contents of your personal communications that do NOT involve university business would not be subject to the Wisconsin Public Records law or to a university-related subpoena for university business records.


  • What data does Duo Mobile collect from my smartphone?

    Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.

  • Other than NetID-protected tools and sites, what else is multi-factor authentication going to be used for?

    In future phases, we intend on using multi-factor authentication to help protect operating systems, databases and other areas. However, we expect that a limited number of individuals will be impacted by these changes.

  • How will MFA-Duo affect mail clients that don't support MFA (e.g. desktop version of Thunderbird or the Android version of the K-9 mail client)?

    Currently, we’re allowing mail protocols such as POP and IMAP that do not require MFA. Campus is working on a plan for retiring or supplementing these protocols to reduce their vulnerability to exploit by compromised accounts.

How do I enroll?

How do I use it?