MFA-Duo - Frequently Asked Questions & Limitations
General MFA-Duo Questions:
Who is eligible to use UW-Madison Duo-Multi Factor Authentication?
Eligible to use Campus funded MFA-Duo license:
This section describes groups who are eligible to enroll in MFA-Duo.
Groups where MFA-Duo enrollment is required are denoted by a *. Other groups in this section are eligible for MFA-Duo, but are not required to enroll. Once someone who is eligible enrolls in MFA-Duo, they are required to use it from that point forward.
- Current UW-Madison employees*
- Those with a current job (between start date and end date) in HRS
- Student employees
- LTEs, Postdoctoral Scholars and Trainees, Honorary Associates/Fellows and Non-Paid positions entered as jobs in HRS ($0 appointments)
- Future UW-Madison employees
- All future employees with a start date any time in the future.
- Current UW-Madison students*
- Those currently enrolled in for-credit classes.
- Future UW-Madison students
- Those eligible to enroll in for-credit classes.
- New students enrolling in the fall semester become required to use Duo on July 1.
- Note: Incoming graduate students will need to be matriculated by their respective grad school before becoming eligible to enroll in Duo.
- Current UW-Madison senior guest auditors
- Consultants (POI 14)
- Timecard Approvers (POI 13)
- Emeritus (POI 21)
- Volunteers (POI 22)
- LAB Auditors (POI 26)
- Some additional affiliates
Any group not listed above is not eligible.
- Those without a current job (between start date and end date) in HRS
- Former employees, non-emeritus retirees
- Most Affiliates
- Students not enrolled in for-credit courses
- Former students
- Students enrolled in non-timetable (not for credit) courses
- Non-Madison UW students
- Employees that are not directly working for UW-Madison
- UWSA
- UWSS
- Individual campus
- etc.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Enrolling in MFA Duo using a NetID login account:
Mobile Device Questions:
Reactivating Duo on mobile devices:
-
Navigate to the UW-Madison MFA Portal at MFA.wisc.edu and login with your NetID and password if requested. Once there, click Manage MFA Preferences and Devices.
-
You will be prompted for your NetID and password again, as well as MFA.
If you are currently unable to login to MFA because you do not have another device setup or you do not have a saved list of backup codes, you will need to use a temporary passcode (see MFA-Duo - Request a Temporary Passcode) to continue. If you are still able to log into Duo with a device or backup passcode, you can use those instead. If you are unable to request a temporary passcode and have no other backup options, you will need to call the DoIT Help Desk at 608-264-HELP (4357) to request a bypass code.
-
To enter a temporary passcode, select Other options.
- Select Bypass code from the list.
- Enter the temporary bypass code that you either 1) generated, 2) had from a list of backup codes, or 3) requested from the DoIT Help Desk and select Verify.
-
-
You will arrive at the Duo Security - Device Management portal. Find the device you wish to reactivate and select I have a new phone.
NOTE: Steps 3-7 are the same whether you are reactivating a mobile device or a tablet.
-
Click Get started if your new device is using the same phone number as before. If you have a new number, follow the steps for adding a new device instead.
-
Download Duo Mobile on your new device if you have not already and select Next.
-
iOS: Download the Duo Mobile App from the App Store.
-
Android: Download the Duo Mobile App from the Google Play Store.
-
-
Configure the Duo App on your mobile device and finish adding the device in Device Management Portal:
-
Open the Duo App on your device.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
-
If this is your first time enrolling with Duo on this device, you will arrive at the following screen. Press Continue.
(Note: If it is not your first time using Duo on this device, tap the Add + button in the top right corner and select the Use QR code option.)
- Select Use a QR code.
-
Using your device, scan the QR code on the screen in the Device Management portal.
-
- You will see the following screen in your browser if your device reactivation is successful, and your mobile phone should return to the Duo home screen. Click Continue. Reactivation is complete!
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at
MFA-Duo - Accessibility & Usability Information.
If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357. For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor. Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. See accessibility & usability information
How to get access to a Security Key or Duo Token/Fob
Students
Faculty, Staff, and Researchers
Setting up Duo for the first time on mobile devices:
Note: This document is only for setup if you're planning to use a smartphone or tablet with MFA Duo.
- If you're planning to use a token only, see MFA-Duo - First Time Setup for Token/Fob .
- If you need help reactivating duo on a new device, see MFA Duo – Reactivate Duo on a Mobile Device
Background:
UW-Madison has selected Duo as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone, tablet or token.
More on the Duo Multi-factor Authentication Project can be found on here: MFA-Duo - What is Duo Multi-factor Authentication?.
Items needed for First Time Setup:
- Smartphone or tablet running supported platform.
- Smartphone or tablet connected to Wi-Fi or cellular data network.
- Separate device with a web browser (not the smartphone or tablet you are registering).
- Duo Mobile App. You will be prompted to download this free application during the setup process.
First Time Setup Process for smartphone or tablet:
- Open a browser on a device other than the smartphone/tablet you are trying to register.
- Navigate to www.mfa.wisc.edu. When prompted, authenticate with your NetID and password.
- Click on Register Smartphone or Tablet
- You will be prompted for your NetID password once more, then you should be redirected to the Device Management Portal and prompted with the following screen:
- Please note - If you are setting up your device due to an error during initial registration you will be prompted for a temporary passcode instead, as seen in the screenshot listed below. You will need to contact the DoIT Help Desk by phone for assistance.
- Click through the prompts until you arrive at the following screen:
- Select Duo Mobile to register a smartphone or tablet. Select Security key to register a security key. Instructions for registering a security key are here.
Smartphone
-
Enter your phone number and click Continue.
-
Verify your phone number by clicking Yes, it's correct.
-
Download the Duo Mobile Application for your device and click Next:
-
iOS/iPhone: Download the Duo Mobile App from the App Store.
-
Android: Download the Duo Mobile App from the Google Play Store.
-
-
Configure the Duo App on your mobile device and finish adding the device in MFA Portal:
-
Open the Duo App on your phone.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
-
If this is your first time enrolling with Duo, you will arrive at the following screen. Press Continue.
- Select Use a QR code.
-
-
Using your device, scan the QR code on the screen in the MFA Portal. You will then be prompted to name the account on your mobile device.
- You will see the following screen in your browser if your first device registration is successful, and your mobile phone should return to the Duo home screen. Click Continue.
- You will then be prompted with the following screen. Feel free to register a security key, otherwise select Skip for now.
- Success! Setup complete. Select Login with Duo and your now-registered mobile device will be sent a push to verify that everything is working.
Tablet
-
Select I have a tablet.
-
Download the Duo Mobile Application for iOS or Android and click Next:
-
iOS: Download the Duo Mobile App from the App Store.
-
Android: Download the Duo Mobile App from the Google Play Store.
-
-
Configure the Duo App on your tablet and finish adding the device in MFA Portal:
-
Open the Duo App on your tablet.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
-
If this is your first time enrolling with Duo, you will arrive at the following screen. Press Continue.
-
Then select Use a QR code.
-
-
Using your device, scan the QR code on the screen in the MFA Portal. You will then be prompted to name the account on your tablet.
- You will see the following screen in your browser if your first device registration is successful, and your mobile phone should return to the Duo home screen. Click Continue.
- You will then be prompted with the following screen. Feel free to register a security key, otherwise select Skip for now.
- Success! Setup complete. Select Login with Duo and your now-registered tablet will be sent a push to verify that everything is working.
- Optional - To set your default login settings, see MFA-Duo - Setting a Default Login Device.
- UW-Madison encourages users to add multiple devices in the event that they lose access to a single device. Instructions for adding devices can be found here:
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at
MFA-Duo - Accessibility & Usability Information.
If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357. For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor. Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. See accessibility & usability information
How to get access to a Security Key or Duo Token/Fob
Students
Faculty, Staff, and Researchers
Adding a secondary/backup device:
Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.
Adding another device:
-
Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.
-
Click Manage MFA Preferences and Devices.
- Note: You will need to authenticate using an existing multi-factor authentication device.
-
Click Add a Device.
-
Follow the instructions specific to the device type you would like to add.
Mobile Phone
-
Select Duo Mobile.
- Enter your phone number and press Continue.
- Verify your phone number by clicking Yes, it's correct.
-
Download the Duo Mobile Application on the new device you are adding, if not already downloaded and click Next:
-
iOS/iPhone: Download the Duo Mobile App from the App Store.
-
Android: Download the Duo Mobile App from the Google Play Store.
-
-
Configure the Duo App on your mobile device and finish adding the device in Device Management Portal:
-
Open the Duo App on your phone.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
-
In the Duo App on your device, tap the Add + button in the top right corner and select the Use QR code option.
-
Using your device, scan the QR code on the screen in the Device Management portal.
- If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.
-
Tablet
-
Select Duo Mobile.
- Select I have a tablet.
-
Download the Duo Mobile Application for iOS or Android and click Next:
-
iOS: Download the Duo Mobile App from the App Store.
-
Android: Download the Duo Mobile App from the Google Play Store.
-
- Configure the Duo App on your tablet and finish adding the device in MFA Portal:
-
Open the Duo App on your tablet.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
-
In the Duo App on your tablet, tap the Add + button in the top right corner and select the Use QR code option.
-
Using your device, scan the QR code on the screen in the Device Management portal.
- If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.
-
Token/Fob
Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.-
Go to https://go.wisc.edu/token.
-
Log in with your NetID and password.
-
Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.
-
Select the type of token that you have.
-
Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.
-
Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.
-
Click Register Duo Token/Fob.
-
The token will now be registered with your account.
-
Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Security Key
Note: You will need the serial number of the device to complete registration. The serial number can be read from the back of the device or from a sticker placed on the packaging.
There are two stages of registering these devices. The first stage registers the device to be used as a hardware token and the second stage registers it to be used as a WebAuthn Authenticator.
-
Navigate to go.wisc.edu/token.
-
Login with your NetID and password.
-
Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.
-
-
Select "USB Security Key" from the list of device types.
-
You will be directed to Part 1 of the USB Security Key registration process.
Follow the prompt to enter the USB Security Key Serial Number into the first input field. The serial number can be found on the back of your USB Security Key package.
-
Plug the USB Security Key into a USB port or adapter.
-
Click inside the second text field under Step 3: Get a passcode from the USB Security Key then press the button on your device. The six-digit passcode should be entered automatically.
-
Click Next.
-
Your device has now been successfully registered as a hardware token!
The second stage of the process registers your device as a WebAuthn Authenticator.
-
Click the blue Duo Device Management Portal button. You will be asked to login with your NetID and password and authenticate with Duo once more.
-
In the new tab that just opened, select the panel called Add a device.
-
Select Security key from the 'Select an option' window.
-
Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.
-
Follow the prompts depending on your operating system and browser, then tap the button on your device to complete enrollment.
-
You should now see both a Security key or Passkey in your Device Management Portal as well as a Hardware Token. These both represent your singular physical device registered as a Hardware token that can enter passcodes, as well as a WebAuthn Authenticator.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Platform Authenticators
Touch ID on Mac
In order to use Touch ID with Duo, make sure you have the following:
- A MacBook Pro, MacBook Air, or Apple Magic Keyboard with a Touch ID button.
- A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
- A supported browser: Safari or Chrome. Refer to the browser support table.
- iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.
Note: The registration steps shown here are for the Chrome browser.
- Select Touch ID from the Select an option menu.
-
Read the Touch ID information and click Continue.
- Chrome prompts you to verify your identity on duosecurity.com.
- Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.
- When you receive confirmation that you added Touch ID as a verification method, tap Continue.
You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your Touch ID fingerprint sensor.
If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo.
Face ID or Touch ID on an iPhone or iPad
In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:
- An iPhone or iPad that supports Face ID or Touch ID.
- Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
- iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.
Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the iPhone or iPad on which you would like to set up Face ID or Touch ID
- Select Face ID / Touch ID from the Select an option menu.
- Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
Note: You may be prompted to save a passkey during these steps. If so, click Continue.
- When you receive confirmation that you added Face ID as a verification method click Continue.
You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Face ID or Touch ID on an iPhone or iPad.
Windows Hello
In order to use Windows Hello with Duo, make sure you have the following:
- A device running Windows 10 or later.
- Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
- A supported browser: Chrome, Edge, or Firefox. Refer to the browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.
- Select Windows Hello from the Select an option menu.
- Read the Windows Hello information and click or tap Continue.
- Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera.
Note: You may receive a prompt that says "Passkey saved" after verifying your identity, click OK. - When you receive confirmation that you added Windows Hello as a verification method click or tap Continue.
You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Windows Hello.
Android Biometrics
In order to use Android Biometrics with Duo, make sure you have the following:
- An Android device that supports biometrics, like fingerprint or face unlock.
- Facial or fingerprint unlock set up on that device. Go to Settings → Security to change your unlock settings. Refer to the Google support articles Unlock your Pixel phone with your fingerprint and Unlock your Pixel phone with your face, the Samsung articles Set up and use the fingerprint sensor on your Galaxy phone and Use Facial recognition security on your Galaxy phone, or your device manufacturer's support site for examples of how to do this.
Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the Android device on which you would like to set up Biometrics.
- Select Device verification from the Select an option menu.
- Read the device verification information and click or tap Continue.
- Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.
- When you receive confirmation that you added your Android device as a verification method tap Continue.
-
-
At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!
Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How many devices can I use with Duo?
- 100 phones per use
- 100 OTP tokens per user/100 U2F tokens per user
More details can be found here: Duo Docs - What are the one-to-many object limits in Duo?
Managing MFA device settings:
-
The Duo hosted Device Management Portal is used to add and remove devices as well as manage default device settings.
-
The UW-Madison hosted mfa.wisc.edu portal will be how you can launch to the Duo hosted Device Management Portal, and will remain the primary location for the following functionality:
-
Request Temporary Passcode for Emergency Access
-
Register a Token/Fob or USB Security Key
-
Create Backup Passcodes
-
Note: This document is intended for use after you have already registered at least 1 device (smartphone, tablet or token). If you have not yet registered a device, see MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account
Accessing the Multi-Factor Authentication Portal
You can add additional verification methods, manage your existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt by navigating two ways:
-
By visiting mfa.wisc.edu, logging in with your NetID and password, and selecting “Manage MFA Preferences and Devices.” The Device Management Portal will open for you in a new browser tab.
-
Or, when logging into an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. Select the Manage devices choice at the end of the list to enter the device management portal
To access the Device Management Portal you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity.
If you're visiting the Device Management Portal to delete or update a device you don't have anymore (such as a phone you lost or replaced), be sure to pick a verification option that you still have with you.
If you don't have any devices you can use to authenticate to device management, contact the DoIT Help Desk by phone at 608-264-4357.
Edit Devices
Clicking the Edit button next to the device presents a list of available options for the device.
- Rename (Smartphone, Tablet): Allows you to change the name of the device.
- Red Delete Option (Smartphone, Tablet, Token): Allows you to remove the device from your approved devices.
- Note: if you have only one MFA device registered, you will not see the Red Trash Icon.
Add Another Device (Recommended)
UW-Madison encourages users to add multiple devices in the event that they lose access to a single device.
To add another device, follow the instructions here: MFA-Duo - Adding Secondary/Backup Devices.
Default Device Settings
Information on setting default login devices can be found here: MFA-Duo - Setting a Default Login Device
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
When do Duo Push authentication attempts expire?
This isn't time is not configurable.
What to do if you aren't receiving push notifications on your device:
There are two main reasons you may not receive push notifications from Duo on your phone:
- Notifications are not enabled.
- Unstable cellular/data/wifi connection on your phone.
Follow the steps below to resolve this issue:
Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:
When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.
If push works by manually pulling to refresh but notifications are not received, it is most likely because you selected not to receive notifications when installing the application.
To check if push notifications are enabled for Duo Mobile, and re-enable them if needed, follow these steps:
On the iPhone, open Settings.
Scroll down and select Duo Mobile.
Select Notifications.
If "Allow Notifications" box is already checked, uncheck and then re-check it. If it was not yet checked, check it. Verify that notifications are configured how you want them.
Fully close (double-tap home button and swipe up) Duo Mobile.
Open Duo Mobile again.
Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:
When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.
If pull to refresh works
If manually checking works, then the issue is related to the Google Cloud Messaging (GCM) push notification service and Duo Mobile registering for pushes correctly. This will often fix itself after you pull-to-refresh. Sometimes there are issues with GCM on the device, like out-of-date play services, that prevent the device from receiving push notifications properly, you should update Google Play Services if possible to alleviate this.
If it's an issue with the long-lived connection to GCM on the device, toggling Wi-Fi off and back on may fix the issue.
Clearing the Duo Mobile application cache can also resolve delivery issues.
Open Settings.
Select Apps and scroll down to select Duo Mobile.
On the App Info page, tap Clear Cache.
If checking for and enabling notifications doesn't resolve your issue, the problem is most likely due to an unstable celluar/data/wifi connection on your phone. In this case, use the Duo Mobile app to generate a passcode: MFA-Duo - Obtaining a Passcode from the Duo Mobile App.
Example error messages you may receive when due to an unstable cellular/data/wifi connection on your phone:What should you do when changing SIM card/phone number/phone?
Changing SIM Card
Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone's hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/ wi-fi service). To generate a passcode:
- Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
- Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.
Permanently Changing Phone Number
Assuming the user still has Duo Mobile installed and the ability to authenticate via push or a passcode, they should follow the procedure for adding a new device. See MFA-Duo - Adding Secondary/Backup Devices
If they do not have any means of authenticating they should contact their help desk. We recommend deleting the old device as soon as possible, see MFA-Duo - Removing Devices
Changing Phone
Since Duo Mobile is tied to a specific device's HSM, the user will need to reinstall and reactivate Duo Mobile on their new phone. See MFA-Duo - First Time Setup for Smartphone or Tablet
Changing Phone, Keeping same phone number
In this scenario, you will simply need to reactivate Duo Mobile for your new phone by visiting mfa.wisc.edu.
Please see MFA Duo – Reactivate Duo on a Mobile Device for instructions on how to do so.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Can I register my device to authenticate to more than one NetID account?
No. According to the Acceptable Use of Information Technology Resources policy:
"Authorized users must not engage in unacceptable use of UW System IT resources, which includes but is not limited to the following:
1. Sharing or transferring authentication details to others, or using another user’s authentication credentials such as network IDs and passwords, or other access codes or circumventing user authentication which could allow unauthorized users to gain access to UW System IT resources, except as required for administrative or business purposes..."
Token, Fob, and USB Security Key Questions:
What is a token/fob?
If you need a MFA token/fob, please contact your human resources or IT department, or visit the DoIT Help Desk.
Where can I get an MFA token/fob?
MFA tokens/fobs can be picked up at the DoIT Onsite Help Desk, located at 1210 West Dayton Street, inside the entrance of the Computer Sciences building.
Who pays for MFA tokens/fobs?
How long do the battery lives of OTP c100 fobs last?
OTP c100 fobs have a battery life of 5 years.
How do I register my MFA token/fob?
How do I use my MFA token/fob?
Registering a token/fob:
-
Go to https://go.wisc.edu/token.
-
Log in with your NetID and password.
-
Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.
-
Select the type of token that you have.
-
Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.
-
Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.
-
Click Register Duo Token/Fob.
-
The token will now be registered with your account.
-
Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.
What if my token/fob stops working?
Note: This document is intended for tokens that have already been registered with your account. If you have not yet registered your token, see MFA-Duo - How to Register a Token/Fob
Incorrect Passcode Errors
Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login.
If this happens to your token, you will see the error message above when attempting to log in. Your token can get "out of sync" by accident if it is stored next to other objects in a pocket, backpack, etc. or if the button is intentionally pressed repeatedly. There are two ways to resynchronize your token/fob.
Method One
To resynchronize your token/fob using the first method, follow the steps below:
-
Log in with your NetID and password to the Duo Device Management Portal and click on Resynchronize Token/Fob or USB Security Key.
-
Making sure that the token's button is oriented to the left, press the button to generate three distinct passcodes and enter each into one of the blank fields. Click Resynchronize Device.
Method Two
To resynchronize your token/fob using the second method, generate three passcodes in a row and attempt to log in with each passcode. You'll need to delete the passcode from the entry field before generating the next passcode and attempting to log in. On the fourth attempt, you should be able to log in.
If your token still doesn't allow you to authenticate after trying both resynchronization methods, please call the DoIT Help Desk at (608) 264-HELP (4357).
Token Display No Longer Works
This is an indication that the token's battery has died. Since the batteries cannot be replaced, you'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.
Token Displaying Unusual Characters, Generating Unusual Passwords, or Displaying the Same Code Repeatedly
This is an indication that the token has malfunctioned. You'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.
How to perform first time setup for tokens and fobs:
Note: This document is only for setup if you're planning to use a token instead of a smartphone/tablet with MFA Duo. If you're planning to use a smartphone/tablet, see MFA-Duo - First Time Setup for Smartphone or Tablet.
UW-Madison has selected Duo Multi-factor Authentication as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone or tablet.
First Token
Instructions for setting up your first token can be found here: MFA-Duo - How to Register a Token/Fob.
Additional Tokens/Devices
UW-Madison encourages users to add multiple devices in the event that they lose access to a single device. Instructions for adding devices can be found here:
What to do when you found a lost token/fob?
Return lost tokens/fobs to the DoIT Help Desk as soon as possible.
Passcode Questions:
Generating a backup passcode:
Note: You will need to be able to authenticate with Duo in order to reach the page to generate backup passcodes. If you currently cannot sign into Duo, try generating a temporary passcode (see MFA-Duo - Request a Temporary Passcode).
Generating Backup Passcodes for Future Use
- Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.
- Click the blue Create Backup Passcodes button.
- Click the blue Print Backup Passcodes button.
- Click Print to print your passcodes or write them down if you do not have access to a printer.
Handling Your Backup Codes
- Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.
- Generating new backup codes will invalidate your previous backup codes.
- Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.
- Each code can only be used once so we recommend crossing them off as you use them.
Requesting a temporary passcode:
-
Log in with your NetID and password to the MFA-Duo Temporary Passcode Request application at: https://www.mynetid.wisc.edu/mfa-recovery
-
Answer the security questions and click Next (these are the same security questions you set up for your NetID):
-
Once your temporary passcode is generated, click Copy or take note of your temporary passcode:
-
You may use this code for 12 hours to login via MFA-Duo. Select Other options at the MFA-Duo prompt.
- Select Bypass code, enter the temporary passcode you generated, and click Verify.
-
If you're trying to use this code to add a new MFA device, see: MFA-Duo - Adding Secondary/Backup Devices
Obtaining a passcode from Duo Mobile app:
- At the MFA Duo prompt, if it is automatically sending you a push, select Other options.
- Select Duo Mobile passcode from the list.
- Open the Duo Mobile app on your device and click Show under your UW Madison NetID Login account.
- A 6-digit passcode will be presented.
- Enter the passcode generated from the app in the MFA Duo prompt and click Verify to complete the process. Note: If the code doesn't work, click the Refresh Passcode button to generate a new code.