MFA-Duo - Exemption Process

This is an internal document for HDQA and Tier 3 MFA Support detailing the exemption process for MFA-Duo.

Situations where the Exemption Process can be used:

  • If a user is locked out of MFA for some reason where a bypass code will not work. Exempt the user for 3 business days.

  • If a user is required to use MFA but does not have a device to register with and cannot obtain a token/fob or security key from the DoIT Onsite Help Desk or from their HR Department. Exempt the user for 30 business days. This allows time for shipping of the fob and time to activate it. See also: MFA-Duo - Handling Requests for Shipping Tokens/Fobs

  • If the user is a new international student and they require a fob, but cannot receive shipment of a fob, they can be made exempt from Duo until two weeks after the start of the fall semester. This rule applies to the following countries or regions:

    • Cuba (CU)
    • North Korea (KP)
    • Iran (IR)
    • Sudan (SD)
    • Syria (SY)
    • Crimea region (43)
    • Donetsk region (14)
    • Luhansk region (09)
    • Sevastopol region (40)

More info on international students and Duo (OFAC)

  • In order to comply with U.S. regulations, beginning May 2022, Duo will be blocking authentications from users whose IP address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control (OFAC).
  • This means that authentications to University of Wisconsin - Madison Duo-protected applications (VPN, O365, Canvas, Google suite, etc.) coming from countries or regions that are currently under economic or trade sanctions from the OFAC will be blocked.
  • Users will receive an "Access Denied. Duo Security does not provide services in your current location." error message or other generic failed login message if attempting to authenticate from these locations.

  • This is only effective for production NetIDs. This will not work on ITE (test) NetIDs.

  • Be sure to inform the user of the expiration date of their exemption!

HDQA Emergency Exemption Process

To add users to the exemption group:

    1. Go to the Manifest Group. (Full path: uw:org:doit_helpdesk:mfa exemptions).

    2. Make sure you are on the Members tab. Click on Add Member(s).

      MFA_exemptions.PNG

    3. Enter the user's NetID in the Add individual members box.

    4. Click Add individuals.

    5. Enter an End date. See the situations section to decide how long to exempt the user. Inform the user when the exemption will end.

    6. Enter a Membership comment in the following format: Case # Temporary exemption due to MFA lock out.

    7. Click Save.

manifest_full_add.PNG


Keywords:
excluded excluded retiree except exception exceptions duo mfa 2fa remove eligibility
Doc ID:
87485
Owned by:
MST Support in Identity and Access Management
Created:
2018-11-02
Updated:
2024-08-23
Sites:
DoITHelpDesk-internal, IAM-internal