MFA-Duo FAQs for faculty & staff

Multi-Factor Authentication (MFA) adds an extra layer of security to your NetID login process. It combines something you know (your NetID and password) with something you have (smartphone, token/fob) to verify your identity. This extra step helps to protect both your online identity and UW–Madison digital assets.

A Universities of Wisconsin mandate required that UW–Madison implement a multi-factor authentication system across campus. After an RFP was concluded in 2017, industry-standard Duo Security was selected. Other higher-education institutions Duo serves include Harvard, Michigan, Villanova, Syracuse, University of South Florida and more. Duo has worked well for these institutions.

Learn more about UW–Madison’s implementation of multi-factor authentication.

UW–Madison has implemented MFA Duo for the central login service, NetID Login (used by MyUW, O365, Google, Box etc.). It may also being implemented in other systems using non-NetID logins.

All UW–⁠Madison faculty and staff and students are required to use Duo for multi-factor authentication as licensed populations. If you have specific questions about non-UW staff working in your unit — e.g., consultants — please contact the DoIT Help Desk.

Multi-factor authentication (MFA) will only be required for current employees. As soon as your current position ends and you no longer have an active appointment in the Human Resource System (HRS) you will not be eligible for, or required to use, multi-factor authentication. Since MFA is implemented per Unit, Division, Department, Subdepartment (UDDS) basis, as soon as you are no longer in your department’s UDDS, you will no longer be required to use MFA. (Note: Individuals may be required to use MFA after retirement until they have exhausted their banked vacation or sabbatical leave because they remain in their department’s UDDS during this time.)

You will be able to access the digital assets that you’re permitted to use based on your retiree role (former employee, retiree or emeriti). For example, retirees or emeriti could still access library resources by logging in with their NetID and password without having to use multi-factor authentication.

Chances are you are already using multi-factor authentication to log into your financial institution or social media. This second layer of protection combines something you know (your NetID and password) with something you have (smartphone or token/fob), preventing anyone but you from logging into a system.

UW–Madison has partnered with Duo to provide this service. You will now need to log in by:

1. Entering your NetID and password, and
2. Confirming your identity with the Duo app on your device or by entering the six-digit code from your token/fob.

The contents of strictly personal communications (texts, emails, voice messages) or data are not subject to the Wisconsin Public Records Law simply by using the app to verify your identity. Strictly personal means that it is not related to university business. If you were using your personal device to conduct university business (such as responding to emails, texting a colleague about a work-related issue or leaving or receiving voice messages on work related subjects, or accessing UW–Madison digital assets) those communications which relate to university business could be subject to the Wisconsin Public Records Law or could be the subject of a university-related subpoena. The contents of your personal communications that do NOT involve university business would not be subject to the Wisconsin Public Records law or to a university-related subpoena for university business records.

Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.

In future phases, we intend on using multi-factor authentication to help protect operating systems, databases and other areas. However, we expect that a limited number of individuals will be impacted by these changes.

Currently, we’re allowing mail protocols such as POP and IMAP that do not require MFA. Campus is working on a plan for retiring or supplementing these protocols to reduce their vulnerability to exploit by compromised accounts.

If you don’t allow students to use technology (e.g. laptops, smartphones) in your classroom, then MFA-Duo will not affect your classroom as students will not need to authenticate with MFA-Duo.

If you allow technology, students will need a brief (5-10 second) interaction with their smartphones or tokens/fobs. You determine classroom policies regarding authenticating to MFA-Duo. Consider sharing these policies through your syllabus and/or verbally. Some suggestions for use:

1. Ask all students to authenticate prior to class starting.
2. Announce at the beginning of class that students should authenticate and then put their smartphones away.

Get more information on the educational impact of using MFA-Duo at: Fall 2019: UW–Madison students and MFA-Duo, what does that mean for my classroom?

MFA-Duo is not an excuse for students to use their smartphones throughout class.

1. If the website students use to take the quiz or exam is not behind a NetID website, then they won’t need to authenticate with MFA-Duo.
2. If the website is behind a NetID website (like Canvas), then you can ask all students to authenticate to Canvas prior to class starting, or announce it before the quiz/exam begins, and then put their smartphones away before ever opening the actual quiz/exam.

Get more information on the educational impact of using MFA-Duo at: Fall 2019: UW–Madison students and MFA-Duo, what does that mean for my classroom?

If a student has logged in to their browser and clicked “remember me” and is using the same laptop and browser they would use in class, they shouldn’t have any issues.

1. To avoid this situation, please encourage students to print out backup passcodes and keep them handy.
2. Students can contact the DoIT HelpDesk (264-HELP), verify their identity and receive a passcode that is valid for 12 hours. This may result in some lost time on their quiz/exam.
3. Students who set up their NetID security questions in advance can request a temporary passcode online. This may result in some lost time on their quiz/exam.

Get more information on the educational impact of using MFA-Duo at: Fall 2019: UW–Madison students and MFA-Duo, what does that mean for my classroom?

The easiest way to use multi-factor authentication is on your smartphone (you can also use a token/fob or security key). In order to use multi-factor authentication, you must first download the Duo app on your device (e.g. smartphone, iPad) or request a token/fob (which will generate a six-digit passcode) to use for authentication. You can enroll at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW. If you have questions, see first time setup for smartphone or tablet or how to register a token/fob.

No worries. If you don’t own a smartphone, or don’t wish to use one, there are other MFA-Duo device options available. The token/fob will generate a six-digit passcode which you enter during the NetID login process. An initial token will be offered to new faculty and staff via your Human Resources department during onboarding.  If you lose or break your token, you may obtain a new one by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu.

A security token (also referred to as a hardware token, fob, or keyfob) is a small hardware device carried by a user to authorize access to a network service. It generates a unique six-digit number (also called a passcode) that identifies the user and allows them to access UW–Madison digital assets. For more information see KB: MFA-Duo: What is a token/fob?

See the KnowledgeBase document How to use a token/fob.

New employees should contact their Human Resources department to obtain a free token/fob or security key or they may obtain one by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu. For more information see KB: MFA-Duo – what is a token/fob?

New employees can obtain a token/fob or security key via their Human Resources department. If you lose or break your token/fob or security key, you may obtain one by contacting the DoIT Help Desk at (608) 264-4357 or emailing help@doit.wisc.edu.

A passcode is a six-digit code that you generate in the Duo app on your smartphone by pushing the down arrow of the right side of your screen or by pushing the green button on your token/fob. You enter the passcode in the Duo Device Management portal to verify your identity to access network services. You can generate a passcode on your smartphone, even if you do not have cellular or wireless (Wi-Fi) service.

For more information see MFA-Duo – logging in with multi-factor authentication

You may add additional devices to your Duo account for UW–Madison multi-factor authentication once the initial setup has been complete. Get instructions on adding a device or registering a token/fob. You can add or remove a device at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW.

When you no longer are in possession of a device, you should remove it from your authorized login devices to prevent another person from requesting a phone number from a phone company that may be your old phone number. See instructions on removing a device. You can add or remove a device at mfa.wisc.edu or through the Multi-Factor Authentication app in MyUW.

Get help online or contact the DoIT Help Desk.

• Get instructions for logging into a service that requires multi-factor authentication with Duo.
• Get additional information on using the various features available within the Duo Mobile app.

You have three options available to you.

1. Obtain a temporary passcode by calling the DoIT Help Desk at 608-264-HELP (4357). You will be asked some security questions to verify your identity.
2. Set up your NetID security questions – in advance, then Request a temporary passcode at https://login.wisc.edu/duo-recovery.  Your temporary passcode expires after 12 hour
3. Plan ahead and generate backup codes for future use.

When holding the token/fob, be sure the green button is on the left to make sure you’re not entering numbers that are upside down.

After 100 times successive failures to authenticate, your account will be locked for 30 minutes.

Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app. Follow the instructions for smartphones (Android and iPhone).

You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service.

• Simply open the app and tap the down arrow or key icon located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
• Enter the six-digit code provided on your smartphone in the multi-factor authentication portal to complete the authentication process.
  

Please refer to MFA-Duo – What is the best way to use MFA-Duo when traveling?

Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone’s hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/wi-fi service).

To generate a passcode:

• Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
• Enter the six-digit code provided on your smartphone in the multi-factor authentication portal to complete the authentication process.

If you’re in a location where you can’t get cellular or wireless (Wi-Fi) service, you can request a single-use passcode directly from the Duo Mobile app.

• Simply open the app and tap the down arrow or key icon located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
• Enter the six-digit code provided on your smartphone in the multi-factor authentication portal to complete the authentication process.
  

Please refer to MFA-Duo – what is the best way to use MFA-Duo when traveling?

If “Remember Me” is selected when initially authenticating via Duo, you won’t need to re-authenticate with Duo again for 12 hours (if you sign in using the same browser in which you authenticated). If you choose to use several browsers during the day, you will need to authenticate in each of those browsers and make the choice on selecting the “Remember Me” option. There are some applications (e.g. VoIP, which may ask you to re-authenticate, but we are working to remove that requirement from the authentication process).

Get details on this topic in the MFA-Duo KnowledgeBase

If you set the MFA-Duo authentication method default to automatically send a push, you will need to disable this setting before activating the “Remember me for 12 hours” option. Here’s how:

1. Click cancel on your push request.
2. Check the “Remember me for 12 hours” box.
3. Authenticate using one of the following options:
   1. Generate a passcode by clicking the down arrow (located in the upper right-hand corner on the Duo app on your smartphone) or by pressing the green button on your token/fob.  Enter the six-digit passcode in the multi-factor authentication portal. OR
   2. Click Send Me a Push in the multi-factor authentication portal. Go to the Duo app on your smartphone or tablet and Accept the push.
4. If you have questions, please contact the DoIT Help Desk.

Not currently, though some systems will require this in the future.