MFA-Duo - Child Accounts and MFA for non-netid services

Duo Child Accounts allow campus system administrators to leverage Duo for systems that are not integrated with NetID-based authentication.

BACKGROUND:

UW System Administrative Policies 1030 and 1031 mandate that we implement a multi-factor authentication system where restricted or sensitive data exists or is accessible. UW-Madison selected Duo Security (https://duo.com/docs/platform_overview) as its Multi-Factor Authentication (MFA) solution.


The general campus offering for Duo MFA is integrated with the NetID Login Service. UW-Madison schools, divisions, and departments need a way to integrate Duo two-factor authentication with their own identity and access management (IAM) systems that don’t leverage the institutional credential (NetID). Due to namespace uniqueness concerns during the out-of-the-box Duo registration process and the need for campus groups to manage their own application/authentication policies, it is recommended that groups needing non-NetID integrations use a separate Duo account.  Duo provides a mechanism called a child account which is linked to the main parent account for the purposes of billing.

IMPACT:

A number of areas have already set up child accounts. This means individuals on campus may have more than one MFA/Duo Account at UW-Madison.  Issues may arise with either or both accounts depending on the central cause of the problem. In those cases, individuals may reach out to the Help Desk to resolve.  A determination will need to be made on which account or accounts are impacted and then direct the issue to the appropriate contact.


NEW CHILD ACCOUNT:

Departments wishing to create and manage a Duo Child Account must agree to a Memorandum of Understanding (MOU) that defines both campus and departmental responsibilities. To request a new DUO Child Account, please review the MOU linked above to ensure that you are comfortable with the responsibilities assigned and contact the Identity & Access Management Team, mstsupport@lists.wisc.edu to initiate a request.


CONTACT:

For UW-Madison issues, contact Identity & Access Management Team, mstsupport@lists.wisc.edu.  



FAQ’s

  1. Will there be additional costs associated with a child account?

    1. Answer: No additional costs for MFA licensing, however, if the child account administrators choose to enable telephone/telephony authentication, the owners of the child account will be responsible for any associated costs.

  2. Do I have to use a separate token for the child account?

    1. Answer: Yes. Tokens cannot be used across multiple accounts, so child account owners will need to fund and procure tokens if they wish to allow users to use tokens to authenticate to their child account.

  3. Where do I go for support of a child account?

    1. Answer:  For ongoing support of administering the child account , contact Duo (link/info) directly.  For users of a child account, contact your child account administrator. DoIT Identity & Access Management or Help Desk will not be responsible for assisting with child accounts other than initial account setup.





Keywords:DUO MFA non-netid   Doc ID:91621
Owner:Tom J.Group:Middleware
Created:2019-05-08 07:46 CSTUpdated:2019-05-15 09:39 CST
Sites:Multi-Factor Authentication (MFA)
Feedback:  0   0