MFA-Duo - Best Practices for Using Duo

This document will highlight the best practices for using MFA Duo.

1. Register more than 1 device or generate backup codes for future use

If you've ever been in a situation where you don't have your MFA device with you, you know this can be a major inconvenience. Give yourself some options ahead of time so you don't get into a bind:

Generate backup codes for future use

Note: You will need to be able to authenticate with Duo in order to reach the page to generate backup passcodes. If you currently cannot sign into Duo, try generating a temporary passcode (see MFA-Duo - Request a Temporary Passcode).

Generating Backup Passcodes for Future Use

  1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.

  2. Click the blue Create Backup Passcodes button.

    create passcodes

  3. Click the blue Print Backup Passcodes button.

    passcodes created

  4. Click Print to print your passcodes or write them down if you do not have access to a printer.

    print

Handling Your Backup Codes

  • Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.

  • Generating new backup codes will invalidate your previous backup codes.

  • Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.

  • Each code can only be used once so we recommend crossing them off as you use them.

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

 

Add an additional device

Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.

Adding another device:

  1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.

  2. Click Manage MFA Preferences and Devices.

    • Note: You will need to authenticate using an existing multi-factor authentication device.
  3. Click Add a Device.

    add new device

  4. Follow the instructions specific to the device type you would like to add.

    Mobile Phone

    1. Select Duo Mobile.

      Select Duo Mobile

    2. Enter your phone number and press Continue.

      enter your phone number

    3. Verify your phone number by clicking Yes, it's correct.

      verify phone number

    4. Download the Duo Mobile Application on the new device you are adding, if not already downloaded and click Next:

    5. Configure the Duo App on your mobile device and finish adding the device in Device Management Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the Duo App on your device, tap the Add + button in the top right corner and select the Use QR code option.

      3. Using your device, scan the QR code on the screen in the Device Management portal.

        scan QR code

      4. If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.

        success screen

    Tablet

    1. Select Duo Mobile.

      duo mobile

    2. Select I have a tablet.

      i have a tablet

    3. Download the Duo Mobile Application for iOS or Android and click Next:

    4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:
      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the Duo App on your tablet, tap the Add + button in the top right corner and select the Use QR code option.

      3. Using your device, scan the QR code on the screen in the Device Management portal.

        scan QR code

      4. If device is added successfully you will arrive at the following screen. Selecting Continue will complete the process.

        success screen

    Token/Fob

    Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.
    1. Go to https://go.wisc.edu/token.

    2. Log in with your NetID and password.

    • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

    • Select the type of token that you have.

      MFA Portal token/fob section with two options: register or resynchronize a device

    • Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

    • Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

    • Click Register Duo Token/Fob.

    • The token will now be registered with your account.

    • Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

    Please note that one of the token images resembles a Yubikey token. While they may work, no support will be provided by the UW-Madison MFA project for Yubikey tokens.

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    Security Key 

     

    Note: You will need the serial number of the device to complete registration. The serial number can be read from the back of the device or from a sticker placed on the packaging.

    There are two stages of registering these devices. The first stage registers the device to be used as a hardware token and the second stage registers it to be used as a WebAuthn Authenticator.

    1. Navigate to go.wisc.edu/token.

    2. Login with your NetID and password.

      • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

    3. Select "USB Security Key" from the list of device types.

      selection of three devices:  duo, otp c100, and USB Security Key

    4. You will be directed to Part 1 of the USB Security Key registration process.

      Follow the prompt to enter the USB Security Key Serial Number into the first input field. The serial number can be found on the back of your USB Security Key package.

      Part 1 of the registration process, with fields to enter in a securitiy key serial number and passcode, described in steps 4 through 7

    5. Plug the USB Security Key into a USB port or adapter.

    6. Click inside the second text field under Step 3: Get a passcode from the USB Security Key then press the button on your device. The six-digit passcode should be entered automatically.

    7. Click Next.

    8. Your device has now been successfully registered as a hardware token! 

    The second stage of the process registers your device as a WebAuthn Authenticator.

    registration - second stage

    1. Click the blue Duo Device Management Portal button. You will be asked to login with your NetID and password and authenticate with Duo once more.

    2. In the new tab that just opened, select the panel called Add a device.

      add new device

    3. Select Security key from the 'Select an option' window.

      security key

    4. Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.

      click continue

    5. Follow the prompts depending on your operating system and browser, then tap the button on your device to complete enrollment.

      success

    6. You should now see both a Security key or Passkey in your Device Management Portal as well as a Hardware Token. These both represent your singular physical device registered as a Hardware token that can enter passcodes, as well as a WebAuthn Authenticator.

      security key and hardware token

     

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

     

    Platform Authenticators

    Touch ID on Mac

    In order to use Touch ID with Duo, make sure you have the following:

    Note: The registration steps shown here are for the Chrome browser.

    1. Select Touch ID from the Select an option menu.
    2. Read the Touch ID information and click Continue.

    3. Chrome prompts you to verify your identity on duosecurity.com.

    4. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.

    5. When you receive confirmation that you added Touch ID as a verification method, tap Continue.

    You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your Touch ID fingerprint sensor.

    If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo.

    Face ID or Touch ID on an iPhone or iPad

    In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:

    • An iPhone or iPad that supports Face ID or Touch ID.
    • Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
    • iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

    Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the iPhone or iPad on which you would like to set up Face ID or Touch ID

    1. Select Face ID / Touch ID from the Select an option menu.

    2. Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
      Note: You may be prompted to save a passkey during these steps. If so, click Continue.

    3. When you receive confirmation that you added Face ID as a verification method click Continue.

    You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Face ID or Touch ID on an iPhone or iPad.

    Windows Hello

    In order to use Windows Hello with Duo, make sure you have the following:

    • A device running Windows 10 or later.
    • Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
    • A supported browser: Chrome, Edge, or Firefox. Refer to the browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

    1. Select Windows Hello from the Select an option menu.

    2. Read the Windows Hello information and click or tap Continue.

    3. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera.

      Note: You may receive a prompt that says "Passkey saved" after verifying your identity, click OK.

    4. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue.

    You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Windows Hello.

    Android Biometrics

    In order to use Android Biometrics with Duo, make sure you have the following:

    Note: These steps (including Steps 1-3 at the top of this document to navigate to the Device Management portal) must be done on a browser on the Android device on which you would like to set up Biometrics.

    1. Select Device verification from the Select an option menu.

    2. Read the device verification information and click or tap Continue.

    3. Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.

    4. When you receive confirmation that you added your Android device as a verification method tap Continue.

    You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Android biometrics.
  5. At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!

Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

 

2. Use the "Remember Me for 12 Hours" option

Having to use MFA Duo for every NetID login session can become tedious. Use the "Remember Me for 12 Hours" option to minimize the number of times you'll need to authenticate with MFA Duo:

Use Remember Me for 12 Hours

Note: The "Remember me for 12 hours" function is not currently working with Safari version 13.0.3 on Mac OS 10.14.6 (Mojave). Duo is aware of the issue, and it should be resolved soon.

Note: Some users have reported issues using "Remember me for 12 hours" on iOS version 14.2 across all browsers.

Please see the Troubleshooting section below if you find that "remember me" is not working for you.

In order to login with Duo Multi-factor Authentication, you must have first set up a device and linked it with your NetID. If you have not yet completed this, follow the instructions here: MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account

Using "Remember Me for 12 hours"

  1. Navigate to a page that requires Duo Multi-factor Authentication after NetID login (e.g. MyUW).

  2. Authenticate with your NetID and Password.

  3. After authenticating with Duo, you will be prompted with the following dialogue box:

    Is this your device?

  4. Selecting Yes, this is my device will remember your browser session for 12 hours. Be sure to select No, other people use this device if you are on a shared computer.
    1. When the remembered device cookie expires, the Duo two-factor authentication prompt for that application shows Remember me checkbox (shown below) as an enabled option on the Duo Push, phone call, text message, and passcode authentication screens. Users can uncheck the box before completing Duo authentication to log in without remembering the browser on this device, or leave it enabled to set a new remembered device cookie for the application.

               Remember me checkbox

  Troubleshooting "Remember Me"

Users may find that they are prompted for MFA-Duo within 12 hours even after they have selected the "remember me for 12 hours" box. The "remember me" feature relies on a browser cookie to function.
"remember me" may not work in the following situations:
  • If you close your browser or switch to a new browser.
  • If you switch to a different computer.
  • If you are using private/incognito browsing mode.
  • If your browser does not allow cookies to be saved.
  • If you clear your browser cookies
Here are some basic troubleshooting tips to ensure that "remember me" works.
  1. Make sure that your internet browser allows cookies from the duosecurity.com domain to be stored in your browser.
  • In Safari, go to Safari > Preferences > Privacy. Under Cookies and website data click Allow from websites I visit. Restart your browser and try "remember me" again.
  • In Internet Explorer, go to Tools > Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored. Restart your browser and try "remember me" again.
  • In Firefox, go to Firefox > Preferences > Privacy & Security. Ensure Third-Party Cookies are not blocked. Under Cookies and Site Data click Accept cookies and site data.
    Restart your browser and try "remember me" again.
  • In Chrome, go to Preferences > Settings > Show advanced settings > Content settings. Ensure Block third-party cookies is not selected. Restart your browser and try "remember me" again.
  • If you have browser extensions or plug-ins installed, disable or remove them to see if "remember me" works. Many browser extensions and plug-ins prevent cookies.
  • If the steps above do not resolve the issue, please contact the DoIT Help Desk.

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 



    Keywords:
    iphone ios android samsung lg galaxy application edit remove 2 two factor auth authentication login request approve 
    Doc ID:
    80774
    Owned by:
    MST Support in Identity and Access Management
    Created:
    2018-03-10
    Updated:
    2024-01-08
    Sites:
    DoIT Help Desk, Identity and Access Management