MFA-Duo - Frequently Asked Questions & Limitations

This document provides references and answers to frequently asked questions about Multi Factor Authentication using Duo.

General MFA-Duo Questions:

Who is eligible to use UW-Madison Duo-Multi Factor Authentication?

Eligible to use Campus funded MFA-Duo license:

This section describes groups who are eligible to enroll in MFA-Duo.

Groups where MFA-Duo enrollment is required are denoted by a *. Other groups in this section are eligible for MFA-Duo, but are not required to enroll. Once someone who is eligible enrolls in MFA-Duo, they are required to use it from that point forward.

  • Current UW-Madison employees*
    • Those with a current job (between start date and end date) in HRS
    • Student employees
    • LTEs, Postdoctoral Scholars and Trainees, Honorary Associates/Fellows and Non-Paid positions entered as jobs in HRS ($0 appointments)
  • Future UW-Madison employees
    • All future employees with a start date any time in the future.
  • Current UW-Madison students*
    • Those currently enrolled in for-credit classes.
  • Future UW-Madison students
    • Those eligible to enroll in for-credit classes.
    • New students enrolling in the fall semester become required to use Duo on July 1.
      • Note: Incoming graduate students will need to be matriculated by their respective grad school before becoming eligible to enroll in Duo. 
  • Current UW-Madison senior guest auditors
  • Consultants (POI 14)
  • Timecard Approvers (POI 13)
  • Emeritus (POI 21)
  • Volunteers (POI 22)
  • LAB Auditors (POI 26)
  • Some additional affiliates

Any group not listed above is not eligible.

Unfortunately because of licensing, only the groups listed above are eligible. Other third-party MFA options are also not available because our services are not structured to integrate them, even if they are free.
Examples of ineligible populations include, but are not limited to:
  • Those without a current job (between start date and end date) in HRS
    • Former employees, non-emeritus retirees
    • Most Affiliates
  • Students not enrolled in for-credit courses
    • Former students
    • Students enrolled in non-timetable (not for credit) courses
  • Non-Madison UW students
  • Employees that are not directly working for UW-Madison
    • UWSA
    • UWSS
    • Individual campus
    • etc.
[Doc 102900 content is unavailable at this time.]

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

 

Enrolling in MFA Duo using a NetID login account:

Mobile Device Questions:

Reactivating Duo on mobile devices:

  1. Navigate to the UW-Madison MFA Portal at MFA.wisc.edu and login with your NetID and password if requested. Once there, click Manage MFA Preferences and Devices.

    manage mfa preferences and devices

  2. You will be prompted for your NetID and password again, as well as MFA.

    If you are currently unable to login to MFA because you do not have another device setup or you do not have a saved list of backup codes, you will need to use a temporary passcode (see MFA-Duo - Request a Temporary Passcode) to continue. If you are still able to log into Duo with a device or backup passcode, you can use those instead. If you are unable to request a temporary passcode and have no other backup options, you will need to call the DoIT Help Desk at 608-264-HELP (4357) to request a bypass code.

    • To enter a temporary passcode, select Other options.

      initial prompt screen

    • Select Bypass code from the list.

      select bypass code

    • Enter the temporary bypass code that you either 1) generated, 2) had from a list of backup codes, or 3) requested from the DoIT Help Desk and select Verify.

      enter passcode

  3. You will arrive at the Duo Security - Device Management portal. Find the device you wish to reactivate and select I have a new phone.

    NOTE: Steps 3-7 are the same whether you are reactivating a mobile device or a tablet.

    i have a new phone

  4. Click Get started if your new device is using the same phone number as before. If you have a new number, follow the steps for adding a new device instead.

    let's set up your phone

  5. Download Duo Mobile on your new device if you have not already and select Next.

  6. Configure the Duo App on your mobile device and finish adding the device in Device Management Portal:

    1. Open the Duo App on your device.

      Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

    2. If this is your first time enrolling with Duo on this device, you will arrive at the following screen. Press Continue.

      (Note: If it is not your first time using Duo on this device, tap the Add + button in the top right corner and select the Use QR code option.) 

      duo app step 1

    3. Select Use a QR code.

      duo app step 2

    4. Using your device, scan the QR code on the screen in the Device Management portal.

      scan QR code

  7. You will see the following screen in your browser if your device reactivation is successful, and your mobile phone should return to the Duo home screen. Click Continue. Reactivation is complete!

    success screen

 

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

Setting up Duo for the first time on mobile devices:

Note: This document is only for setup if you're planning to use a smartphone or tablet with MFA Duo.

Background:

UW-Madison has selected Duo as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone, tablet or token.

More on the Duo Multi-factor Authentication Project can be found on here: MFA-Duo - What is Duo Multi-factor Authentication?.

Items needed for First Time Setup:

  1. Smartphone or tablet running supported platform.
  2. Smartphone or tablet connected to Wi-Fi or cellular data network.
  3. Separate device with a web browser (not the smartphone or tablet you are registering).
  4. Duo Mobile App. You will be prompted to download this free application during the setup process.

First Time Setup Process for smartphone or tablet:

  1. Open a browser on a device other than the smartphone/tablet you are trying to register.
  2. Navigate to www.mfa.wisc.edu. When prompted, authenticate with your NetID and password.
  3. Click on Register Smartphone or Tablet
  4. You will be prompted for your NetID password once more, then you should be redirected to the Device Management Portal and prompted with the following screen:

    step 1

    1. Please note - If you are setting up your device due to an error during initial registration you will be prompted for a temporary passcode instead, as seen in the screenshot listed below. You will need to contact the DoIT Help Desk by phone for assistance.

      enter bypass code

  5. Click through the prompts until you arrive at the following screen:

    step 2

  6. Select Duo Mobile to register a smartphone or tablet. Select Security key to register a security key. Instructions for registering a security key are here.

Smartphone

  1. Enter your phone number and click Continue.

    step 3 - mobile

  2. Verify your phone number by clicking Yes, it's correct.

    step 4 - mobile

  3. Download the Duo Mobile Application for your device and click Next:

  4. Configure the Duo App on your mobile device and finish adding the device in MFA Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. If this is your first time enrolling with Duo, you will arrive at the following screen. Press Continue.

        duo app step 1

      3. Select Use a QR code.

        duo app step 2

  5. Using your device, scan the QR code on the screen in the MFA Portal. You will then be prompted to name the account on your mobile device.

    scan QR code

  6. You will see the following screen in your browser if your first device registration is successful, and your mobile phone should return to the Duo home screen. Click Continue.

    added duo mobile

  7. You will then be prompted with the following screen. Feel free to register a security key, otherwise select Skip for now.
    add another way to log in?
  8. Success! Setup complete. Select Login with Duo and your now-registered mobile device will be sent a push to verify that everything is working.
    setup complete

Tablet

  1. Select I have a tablet.

    step 1 - tablet

  2. Download the Duo Mobile Application for iOS or Android and click Next:

  3. Configure the Duo App on your tablet and finish adding the device in MFA Portal:

      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. If this is your first time enrolling with Duo, you will arrive at the following screen. Press Continue.

        duo app step 1

      3. Then select Use a QR code.

        duo app step 2

  4. Using your device, scan the QR code on the screen in the MFA Portal. You will then be prompted to name the account on your tablet.

    scan QR code

  5. You will see the following screen in your browser if your first device registration is successful, and your mobile phone should return to the Duo home screen. Click Continue.

    added duo mobile success screen

  6. You will then be prompted with the following screen. Feel free to register a security key, otherwise select Skip for now.
    add another way to log in?
  7. Success! Setup complete. Select Login with Duo and your now-registered tablet will be sent a push to verify that everything is working.
    success screen

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    Adding a secondary/backup device:

    Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.

    Adding another device:

    1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.

    2. Click Manage MFA Preferences and Devices.

      • Note: You will need to authenticate using an existing multi-factor authentication device.
    3. Click Add a Device.

      add new device

    4. Follow the instructions specific to the device type you would like to add.

      Mobile Phone

      1. Select Duo Mobile.

        Select Duo Mobile

      2. Enter your phone number and press Continue.

        enter your phone number

      3. Verify your phone number by clicking Yes, it's correct.

        verify phone number

      4. Download the Duo Mobile Application on the new device you are adding, if not already downloaded and click Next:

      5. Configure the Duo App on your mobile device and finish adding the device in Device Management Portal:

        1. Open the Duo App on your phone.

          Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

        2. In the Duo App on your device, tap the Add + button in the top right corner and select the Use QR code option.

        3. Using your device, scan the QR code on the screen in the Device Management portal.

          scan QR code

        4. If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.

          success screen

      Tablet

      1. Select Duo Mobile.

        duo mobile

      2. Select I have a tablet.

        i have a tablet

      3. Download the Duo Mobile Application for iOS or Android and click Next:

      4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:
        1. Open the Duo App on your tablet.

          Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

        2. In the Duo App on your tablet, tap the Add + button in the top right corner and select the Use QR code option.

        3. Using your device, scan the QR code on the screen in the Device Management portal.

          scan QR code

        4. If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.

          success screen

      Token/Fob

      Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.
      1. Go to https://go.wisc.edu/token.

      2. Log in with your NetID and password.

      • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

      • Select the type of token that you have.

        MFA Portal token/fob section with two options: register or resynchronize a device

      • Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

      • Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

      • Click Register Duo Token/Fob.

      • The token will now be registered with your account.

      • Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

      Please note that one of the token images resembles a Yubikey token. While they may work, no support will be provided by the UW-Madison MFA project for Yubikey tokens.

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      Security Key 

       

      Note: You will need the serial number of the device to complete registration. The serial number can be read from the back of the device or from a sticker placed on the packaging.

      There are two stages of registering these devices. The first stage registers the device to be used as a hardware token and the second stage registers it to be used as a WebAuthn Authenticator.

      1. Navigate to go.wisc.edu/token.

      2. Login with your NetID and password.

        • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

      3. Select "USB Security Key" from the list of device types.

        selection of three devices:  duo, otp c100, and USB Security Key

      4. You will be directed to Part 1 of the USB Security Key registration process.

        Follow the prompt to enter the USB Security Key Serial Number into the first input field. The serial number can be found on the back of your USB Security Key package.

        Part 1 of the registration process, with fields to enter in a securitiy key serial number and passcode, described in steps 4 through 7

      5. Plug the USB Security Key into a USB port or adapter.

      6. Click inside the second text field under Step 3: Get a passcode from the USB Security Key then press the button on your device. The six-digit passcode should be entered automatically.

      7. Click Next.

      8. Your device has now been successfully registered as a hardware token! 

      The second stage of the process registers your device as a WebAuthn Authenticator.

      registration - second stage

      1. Click the blue Duo Device Management Portal button. You will be asked to login with your NetID and password and authenticate with Duo once more.

      2. In the new tab that just opened, select the panel called Add a device.

        add new device

      3. Select Security key from the 'Select an option' window.

        security key

      4. Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.

        click continue

      5. Follow the prompts depending on your operating system and browser, then tap the button on your device to complete enrollment.

        success

      6. You should now see both a Security key or Passkey in your Device Management Portal as well as a Hardware Token. These both represent your singular physical device registered as a Hardware token that can enter passcodes, as well as a WebAuthn Authenticator.

        security key and hardware token

       

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

       

      Platform Authenticators

      Touch ID on Mac

      In order to use Touch ID with Duo, make sure you have the following:

      Note: The registration steps shown here are for the Chrome browser.

      1. Select Touch ID from the Select an option menu.
      2. Read the Touch ID information and click Continue.

      3. Chrome prompts you to verify your identity on duosecurity.com.

      4. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.

      5. When you receive confirmation that you added Touch ID as a verification method, tap Continue.

      You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your Touch ID fingerprint sensor.

      If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo.

      Face ID or Touch ID on an iPhone or iPad

      In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:

      • An iPhone or iPad that supports Face ID or Touch ID.
      • Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
      • iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

      Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the iPhone or iPad on which you would like to set up Face ID or Touch ID

      1. Select Face ID / Touch ID from the Select an option menu.

      2. Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
        Note: You may be prompted to save a passkey during these steps. If so, click Continue.

      3. When you receive confirmation that you added Face ID as a verification method click Continue.

      You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Face ID or Touch ID on an iPhone or iPad.

      Windows Hello

      In order to use Windows Hello with Duo, make sure you have the following:

      • A device running Windows 10 or later.
      • Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
      • A supported browser: Chrome, Edge, or Firefox. Refer to the browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

      1. Select Windows Hello from the Select an option menu.

      2. Read the Windows Hello information and click or tap Continue.

      3. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera.

        Note: You may receive a prompt that says "Passkey saved" after verifying your identity, click OK.

      4. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue.

      You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Windows Hello.

      Android Biometrics

      In order to use Android Biometrics with Duo, make sure you have the following:

      Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the Android device on which you would like to set up Biometrics.

      1. Select Device verification from the Select an option menu.

      2. Read the device verification information and click or tap Continue.

      3. Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.

      4. When you receive confirmation that you added your Android device as a verification method tap Continue.

      You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Android biometrics.
    5. At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!

    Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    How many devices can I use with Duo?

    Duo has the following limitations per user:
    • 100 phones per use
    • 100 OTP tokens per user/100 U2F tokens per user

    More details can be found here: Duo Docs - What are the one-to-many object limits in Duo?

    Managing MFA device settings:

    • The Duo hosted Device Management Portal is used to add and remove devices as well as manage default device settings.

    • The UW-Madison hosted mfa.wisc.edu portal will be how you can launch to the Duo hosted Device Management Portal, and will remain the primary location for the following functionality:

      • Request Temporary Passcode for Emergency Access

      • Register a Token/Fob or USB Security Key

      • Create Backup Passcodes

    Note: This document is intended for use after you have already registered at least 1 device (smartphone, tablet or token). If you have not yet registered a device, see MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account

    Accessing the Multi-Factor Authentication Portal

    You can add additional verification methods, manage your existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt by navigating two ways:

    • By visiting mfa.wisc.edu, logging in with your NetID and password, and selecting “Manage MFA Preferences and Devices.” The Device Management Portal will open for you in a new browser tab.

    • Or, when logging into an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. Select the Manage devices choice at the end of the list to enter the device management portal

    manage devices

    To access the Device Management Portal you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity. 

    If you're visiting the Device Management Portal to delete or update a device you don't have anymore (such as a phone you lost or replaced), be sure to pick a verification option that you still have with you. 

    If you don't have any devices you can use to authenticate to device management, contact the DoIT Help Desk by phone at 608-264-4357.

    Edit Devices

    Clicking the Edit button next to the device presents a list of available options for the device.

    • Rename (Smartphone, Tablet): Allows you to change the name of the device.
    • Red Delete Option (Smartphone, Tablet, Token): Allows you to remove the device from your approved devices.
      • Note: if you have only one MFA device registered, you will not see the Red Trash Icon.

    device management portal

    Add Another Device (Recommended)

    UW-Madison encourages users to add multiple devices in the event that they lose access to a single device.

    To add another device, follow the instructions here: MFA-Duo - Adding Secondary/Backup Devices.

    Default Device Settings

      Information on setting default login devices can be found here: MFA-Duo - Setting a Default Login Device

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      When do Duo Push authentication attempts expire?

      Duo Push authentication attempts expire after 60 seconds of no response.
      This isn't time is not configurable.

      What to do if you aren't receiving push notifications on your device:

      There are two main reasons you may not receive push notifications from Duo on your phone:

      1. Notifications are not enabled.
      2. Unstable cellular/data/wifi connection on your phone.

      Follow the steps below to resolve this issue:

      Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:

      Clip of a mobile device in the Duo app with the screen being dragged downward to refresh notifications

      When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.

      If push works by manually pulling to refresh but notifications are not received, it is most likely because you selected not to receive notifications when installing the application.

      To check if push notifications are enabled for Duo Mobile, and re-enable them if needed, follow these steps:

      1. On the iPhone, open Settings.

      2. Scroll down and select Duo Mobile.

      3. Select Notifications.

      4. If "Allow Notifications" box is already checked, uncheck and then re-check it. If it was not yet checked, check it. Verify that notifications are configured how you want them.

        iOS Settings with Allow Notifications toggled on

      5. Fully close (double-tap home button and swipe up) Duo Mobile.

      6. Open Duo Mobile again.

      Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:

      Clip of mobile device in the Duo app with the screen being pulled downward to refresh notifications

      When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.

      If pull to refresh works

      If manually checking works, then the issue is related to the Google Cloud Messaging (GCM) push notification service and Duo Mobile registering for pushes correctly. This will often fix itself after you pull-to-refresh. Sometimes there are issues with GCM on the device, like out-of-date play services, that prevent the device from receiving push notifications properly, you should update Google Play Services if possible to alleviate this.

      If it's an issue with the long-lived connection to GCM on the device, toggling Wi-Fi off and back on may fix the issue.

      Clearing the Duo Mobile application cache can also resolve delivery issues.

      1. Open Settings.

      2. Select Apps and scroll down to select Duo Mobile.

      3. On the App Info page, tap Clear Cache.

      If checking for and enabling notifications doesn't resolve your issue, the problem is most likely due to an unstable celluar/data/wifi connection on your phone. In this case, use the Duo Mobile app to generate a passcode: MFA-Duo - Obtaining a Passcode from the Duo Mobile App.

      Example error messages you may receive when due to an unstable cellular/data/wifi connection on your phone:

      Duo notification that reads Unknown Error

      Duo notification that reads Network Timeout

      What should you do when changing SIM card/phone number/phone?

      Changing SIM Card

      Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone's hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/ wi-fi service). To generate a passcode:

      • Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
      • Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.

      Permanently Changing Phone Number

      Assuming the user still has Duo Mobile installed and the ability to authenticate via push or a passcode, they should follow the procedure for adding a new device. See MFA-Duo - Adding Secondary/Backup Devices

      If they do not have any means of authenticating they should contact their help desk. We recommend deleting the old device as soon as possible, see MFA-Duo - Removing Devices

      Changing Phone

      Note: If you do not have access to your previously registered phone, you will need to get a temporary code to be able to access the Multi-Factor Authentication Portal in order to add your new phone. See MFA-Duo - Request a Temporary Passcode

      Since Duo Mobile is tied to a specific device's HSM, the user will need to reinstall and reactivate Duo Mobile on their new phone. See MFA-Duo - First Time Setup for Smartphone or Tablet
       

      Changing Phone, Keeping same phone number

      In this scenario, you will simply need to reactivate Duo Mobile for your new phone by visiting mfa.wisc.edu.

      Please see MFA Duo – Reactivate Duo on a Mobile Device for instructions on how to do so.

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      Can I register my device to authenticate to more than one NetID account?

      No. According to the Acceptable Use of Information Technology Resources policy:

      "Authorized users must not engage in unacceptable use of UW System IT resources, which includes but is not limited to the following:

      1.  Sharing or transferring authentication details to others, or using another user’s authentication credentials such as network IDs and passwords, or other access codes or circumventing user authentication which could allow unauthorized users to gain access to UW System IT resources, except as required for administrative or business purposes..."

      Token, Fob, and USB Security Key Questions:

      What is a token/fob?

      Duo tokenOTP c100 token

      If you need a MFA token/fob, please contact your human resources or IT department, or visit the DoIT Help Desk. 

      Where can I get an MFA token/fob?

      MFA tokens/fobs can be picked up at the DoIT Onsite Help Desk, located at 1210 West Dayton Street, inside the entrance of the Computer Sciences building. 

      Who pays for MFA tokens/fobs?

      MFA tokens/fobs will be provided at no cost to faculty, staff, and students. This includes replacements for tokens/fobs that have been lost, stolen, or damaged.

      How long do the battery lives of OTP c100 fobs last?

      OTP c100 fobs have a battery life of 5 years.

      How do I register my MFA token/fob?

      How do I use my MFA token/fob?

       
       

      Registering a token/fob:

      Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.
      1. Go to https://go.wisc.edu/token.

      2. Log in with your NetID and password.

      • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

      • Select the type of token that you have.

        MFA Portal token/fob section with two options: register or resynchronize a device

      • Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

      • Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

      • Click Register Duo Token/Fob.

      • The token will now be registered with your account.

      • Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

      Please note that one of the token images resembles a Yubikey token. While they may work, no support will be provided by the UW-Madison MFA project for Yubikey tokens.

      What if my token/fob stops working?

      Note: This document is intended for tokens that have already been registered with your account. If you have not yet registered your token, see MFA-Duo - How to Register a Token/Fob

      Incorrect Passcode Errors

      Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login.

      incorrect passcode error

      If this happens to your token, you will see the error message above when attempting to log in. Your token can get "out of sync" by accident if it is stored next to other objects in a pocket, backpack, etc. or if the button is intentionally pressed repeatedly. There are two ways to resynchronize your token/fob.

      Method One

      To resynchronize your token/fob using the first method, follow the steps below:

      1. Log in with your NetID and password to the Duo Device Management Portal and click on Resynchronize Token/Fob or USB Security Key.

        Token/fob section of the MFA portal with two options: register or resynchronize

      2. Making sure that the token's button is oriented to the left, press the button to generate three distinct passcodes and enter each into one of the blank fields. Click Resynchronize Device.

        Prompt with three fields requesting three unique passcodes from the token being synchronized

      Method Two

      To resynchronize your token/fob using the second method, generate three passcodes in a row and attempt to log in with each passcode. You'll need to delete the passcode from the entry field before generating the next passcode and attempting to log in. On the fourth attempt, you should be able to log in.

      If your token still doesn't allow you to authenticate after trying both resynchronization methods, please call the DoIT Help Desk at (608) 264-HELP (4357).

      Token Display No Longer Works

      This is an indication that the token's battery has died. Since the batteries cannot be replaced, you'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.

      Token Displaying Unusual Characters, Generating Unusual Passwords, or Displaying the Same Code Repeatedly

      This is an indication that the token has malfunctioned. You'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.



      How to perform first time setup for tokens and fobs:

      Note: This document is only for setup if you're planning to use a token instead of a smartphone/tablet with MFA Duo. If you're planning to use a smartphone/tablet, see MFA-Duo - First Time Setup for Smartphone or Tablet.

      UW-Madison has selected Duo Multi-factor Authentication as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone or tablet.

      More on the Duo Multi-factor Authentication Project can be found on the MFA-Duo Authentication Project's website.

      First Token

      Instructions for setting up your first token can be found here: MFA-Duo - How to Register a Token/Fob.

      Additional Tokens/Devices

      UW-Madison encourages users to add multiple devices in the event that they lose access to a single device. Instructions for adding devices can be found here:

      MFA-Duo - Adding Secondary/Backup Devices

      MFA-Duo - Generating Backup Passcodes for Future Use

      What to do when you found a lost token/fob?

      Return lost tokens/fobs to the DoIT Help Desk as soon as possible.


      Passcode Questions:

      Generating a backup passcode:

      Note: You will need to be able to authenticate with Duo in order to reach the page to generate backup passcodes. If you currently cannot sign into Duo, try generating a temporary passcode (see MFA-Duo - Request a Temporary Passcode).

      Generating Backup Passcodes for Future Use

      1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.
      2. Click the blue Create Backup Passcodes button.
      3. MFA portal section for generating backup passcodes

      4. Click the blue Print Backup Passcodes button.
      5. Green message indicating that the passcodes have been created, with a button labeled Print Backup Passcodes

      6. Click Print to print your passcodes or write them down if you do not have access to a printer
      7. Print dialogue with the backup passcodes displayed as a document


      Handling Your Backup Codes

      • Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.
      • Generating new backup codes will invalidate your previous backup codes.
      • Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.
      • Each code can only be used once so we recommend crossing them off as you use them.

      Requesting a temporary passcode:

      Note: Not all users are eligible to generate temporary passcodes as eligibility depends on security classification of the individual.
       
      Requesting temporary passcodes should only be used in situations when you do not have access to your MFA device. It should not be used as a routine MFA-Duo login method.
       
      If this process does not work for you or you receive an error, call the DoIT Help Desk (608) 264-4357 so an agent can verify your identity and issue you a temporary bypass code.
      1. Log in with your NetID and password to the MFA-Duo Temporary Passcode Request application at: https://www.mynetid.wisc.edu/mfa-recovery

      2. Answer the security questions and click Next (these are the same security questions you set up for your NetID):

      security questions

      1. Once your temporary passcode is generated, click Copy or take note of your temporary passcode:

      Temporary passcode is provided and a copy button appears to the right of the field allowing you to copy the passcode to your clipboard

      1. You may use this code for 12 hours to login via MFA-Duo. Select Other options at the MFA-Duo prompt.

        other options

      2. Select Bypass code, enter the temporary passcode you generated, and click Verify.

        bypass code

        enter bypass code

      3. If you're trying to use this code to add a new MFA device, see: MFA-Duo - Adding Secondary/Backup Devices 

      Obtaining a passcode from Duo Mobile app:

      This feature is great for situations when your phone doesn't have a stable cellular data or wifi connection. This feature can even be used with your phone is in airplane mode or when you are traveling outside of the US.
        1. At the MFA Duo prompt, if it is automatically sending you a push, select Other options.

          other options

        2. Select Duo Mobile passcode from the list.

          duo mobile passcode

        3. Open the Duo Mobile app on your device and click Show under your UW Madison NetID Login account.

          show passcode

        4. A 6-digit passcode will be presented.

          passcode

        5. Enter the passcode generated from the app in the MFA Duo prompt and click Verify to complete the process.

          enter your passcode

          Note: If the code doesn't work, click the Refresh Passcode button to generate a new code.



      Keywordsduo mfa how fob token tokens mobile android iphone device authentication security passcode devices eligible eligibility enroll NetID activate reactivate set up secondary backup limitations limits limit limitation OTP U2F settings push expire expiration expires SIM card change changing key feitian compatibility setup first time lost generate app how faq   Doc ID109870
      OwnerVadym P.GroupIdentity and Access Management
      Created2021-03-24 12:30:31Updated2024-07-29 14:50:08
      SitesDoIT Help Desk, Identity and Access Management
      CleanURLhttps://kb.wisc.edu/mfa-duo-frequently-asked-questions-limitations
      Feedback  8   5