We use cookies on this site. By continuing to browse without changing your browser settings to block or delete cookies, you agree to the UW–Madison Cookie Notice.
Here are important questions and answers for UW–Madison undergrads and grad students about using MFA-Duo. If you need more info after looking through these FAQs, try the UW–Madison KnowledgeBase MFA Duo topic.
What is it and how will it affect me?
This is an accordion element with a series of buttons that open and close related content panels.
Multi-Factor Authentication (MFA) adds an extra layer of security to your NetID login process. It combines something you know (your NetID and password) with something you have (smartphone, token/fob) to verify your identity. This extra step helps to protect both your online identity and UW–Madison digital assets.
Universities of Wisconsin mandates required that UW–Madison implement a multi-factor authentication system across campus. After an RFP was concluded in 2017, industry-standard Duo Security was selected. Other higher-education institutions Duo serves include Harvard, Michigan, Villanova, Syracuse, University of South Florida and more. Duo has worked well for these institutions.
UW–Madison has implemented MFA Duo for the central login service, NetID Login (used by MyUW, O365, Google, Box etc.). It may also being implemented in other systems using non-NetID logins.
All UW–Madison faculty and staff and students are required to use Duo for multi-factor authentication as licensed populations. If you have questions please contact the DoIT Help Desk.
Chances are you are already using multi-factor authentication to log into your financial institution or social media. This second layer of protection combines something you know (your NetID and password) with something you have (smartphone or token/fob), preventing anyone but you from logging into a system.
UW–Madison has partnered with Duo to provide this service. You will now need to log in by:
Entering your NetID and password, and
Confirming your identity with the Duo app on your device or by entering the six-digit code from your token/fob.
The contents of strictly personal communications (texts, emails, voice messages) or data are not subject to the Wisconsin Public Records Law simply by using the app to verify your identity. Strictly personal means that it is not related to university business. If you were using your personal device to conduct university business (such as responding to emails, texting a colleague about a work-related issue or leaving or receiving voice messages on work related subjects, or accessing UW–Madison digital assets) those communications which relate to university business could be subject to the Wisconsin Public Records Law or could be the subject of a university-related subpoena. The contents of your personal communications that do NOT involve university business would not be subject to the Wisconsin Public Records law or to a university-related subpoena for university business records.
Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.
In future phases, we intend on using multi-factor authentication to help protect operating systems, databases and other areas. However, we expect that a limited number of individuals will be impacted by these changes.
Currently, we’re allowing mail protocols such as POP and IMAP that do not require MFA. Campus is working on a plan for retiring or supplementing these protocols to reduce their vulnerability to exploit by compromised accounts.
What are the educational impacts of students using MFA-Duo in the classroom?
This is an accordion element with a series of buttons that open and close related content panels.
If students are not permitted to use technology (e.g. laptops, smartphones) in the classroom, then MFA-Duo will not affect students as they will not need to authenticate with MFA-Duo.
If your instructor allows technology, then students will need a brief (5-10 second) interaction with their smartphone. Your instructor determines classroom policies regarding authenticating to MFA-Duo. They may suggest:
All students authenticate prior to class starting.
Announce at the beginning of class that students should authenticate and then put their cell smartphones or token/fobs away.
If the website students use to take the quiz or exam is not behind a NetID website, then they won’t need to authenticate with MFA-Duo.
If the website is behind a NetID website (like Canvas), then your instructor may request that all students authenticate to Canvas prior to class starting, or announce it before the quiz/exam begins, and then put your smartphones (or token/fobs) away before ever opening the actual quiz/exam.
If a student has logged in to their browser and clicked “remember me” and is using the same laptop and browser they would use in class, they shouldn’t have any issues.
Set up your NetID security questions – in advance so you can request a temporary passcode online. This may result in some lost time on your quiz/exam.
You can contact the DoIT HelpDesk (264-HELP), verify your identity and receive a temporary passcode that is valid for 12 hours. This may result in some lost time on your quiz/exam.
How do I enroll?
This is an accordion element with a series of buttons that open and close related content panels.
The easiest way to use multi-factor authentication is on your smartphone (you can also use a token/fob or security key). In order to use multi-factor authentication, you must first download the Duo app on your device (e.g. smartphone, iPad) or request a token/fob (which will generate a six-digit passcode) to use for authentication. You can enroll at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW. If you have questions, see first time setup for smartphone or tablet or how to register a token/fob.
No worries. If you don’t own a smartphone, there are other MFA-Duo device options available. The token/fob will generate a six-digit passcode which you enter during the NetID login process. Students can get one free token or security key, by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
A security token (also referred to as a hardwaretoken, fob, or keyfob) is a small hardware device carried by a user to authorize access to a network service. It generates a unique six-digit number (also called a passcode) that identifies the user and allows them to access UW–Madison digital assets. For more information see KB: MFA-Duo: What is a token/fob?
You generate a six-digit passcode by pushing the green button on your token/fob.
Students can get one free token or security key by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
A passcode is a six-digit code that you generate by pushing the down arrow located on the left hand side of your Duo Mobile app on your smartphone or by pushing the button on your token/fob. You enter the passcode in the Duo Device Management portal to verify your identity to access network services. You can generate a passcode on your smartphone, even if you do not have cellular or wireless (Wi-Fi) service.
You may add additional devices to your Duo account for UW–Madison multi-factor authentication once the initial setup has been complete. Get instructions on adding a device or registering a token/fob. You can add or remove a device at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW.
When you no longer are in possession of a device, you should remove it from your authorized login devices to prevent another person from requesting a phone number from a phone company that may be your old phone number. See instructions on removing a device. You can add or remove a device at mfa.wisc.edu or through the multi-factor authentication app in MyUW.
When holding the token/fob, be sure the green button is on the left to make sure you’re not entering numbers that are upside down.
After 100 times successive failures to authenticate, your account will be locked for 30 minutes.
Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app. Follow the instructions for Android devices or iPhones.
You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service.
Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone’s hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/wi-fi service).
To generate a passcode:
Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
If you’re in a location where you can’t get cellular or wireless (Wi-Fi) service, you can request a single-use passcode directly from the Duo Mobile app.
Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
If “Remember Me” is selected when initially authenticating via Duo, you won’t need to re-authenticate with Duo again for 12 hours (if you sign in using the same browser in which you authenticated). If you choose to use several browsers during the day, you will need to authenticate in each of those browsers and make the choice on selecting the “Remember Me” option. There are some applications (e.g. VoIP, which may ask you to re-authenticate, but we are working to remove that requirement from the authentication process).
If you set the MFA-Duo authentication method default to automatically send a push, you will need to disable this setting before activating the “Remember me for 12 hours” option. Here’s how:
Click cancel on your push request.
Check the “Remember me for 12 hours” box.
Authenticate using one of the following options:
Generate a passcode by clicking the down arrow (located in the upper right-hand corner on the Duo app on your smartphone) or by pressing the green button on your token/fob. Enter the six-digit passcode in the Multi-Factor Authentication portal, or
