MFA-Duo - Frequently Asked Questions & Limitations

This document provides references and answers to frequently asked questions about Multi Factor Authentication using Duo.

General MFA-Duo Questions:

Who is eligible to use UW-Madison Duo-Multi Factor Authentication?

Eligible to use Campus funded MFA-Duo license:

  • Current UW-Madison employees
    • Those with a current job (between start date and end date) in HRS
    • Student employees
    • LTEs, Postdoctoral Scholars and Trainees, Honorary Associates/Fellows and Non-Paid positions entered as jobs in HRS ($0 appointments)
  • Current UW-Madison students
    • Those currently enrolled in for-credit courses
  • Current UW-Madison senior guest auditors
  • Consultants (POI 14)
  • Timecard Approvers (POI 13)

Any group not listed above is not eligible.

Unfortunately because of licensing, only the groups listed above are eligible. Other third-party MFA options are also not available because our services are not structured to integrate them, even if they are free.

Examples of ineligible populations include, but are not limited to:
  • Those without a current job (between start date and end date) in HRS
    • Former employees, retirees, emeritus
    • Future employees
    • Affiliates
  • Students not enrolled in for-credit courses
    • Former students
    • Future students
    • Students enrolled in non-timetable (not for credit) courses

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

 

Enrolling in MFA Duo using a NetID login account:

Mobile Device Questions:

Reactivating Duo on mobile devices:

  1. If you are currently unable to login to MFA because you do not have another device setup or you do not have a saved list of backup codes, you will need to use a temporary passcode (see MFA-Duo - Request a Temporary Passcode) to login. If you are still able to log into Duo with a device or backup passcode, you can skip this step.

  2. Navigate to the UW-Madison MFA Portal at MFA.wisc.edu and login with your NetID and password if requested. Once there, click Manage MFA Preferences and Devices.

    UW-Madison MFA Portal Manage Preferences and Devices Button

  3. You will see a page that says Manage Your Multi-Factor Authentication (MFA) Devices and prompts you for a MFA-Duo Login. Click the Enter a Passcode option.

    Enter a Passcode Button Highlighted

  4. Enter the temporary passcode you received at step 1, then press Login.

    Passcode entered into the Login with Passcode field

  5. Find the device you wish to re-activate, then click Device Options.

    Click Device Options

  6. Click Reactivate Duo Mobile.

    Click Reactivate Duo Mobile

  7. Follow the instructions for activating your device by clicking the device you are setting up:

    1. Select Mobile phone then press Continue.

      Device type list with Mobile selected

    2. Enter the phone number of the device. Next, verify this is the correct number of the device by checking the box. Now press Continue.

      Phone number entered into field

    3. Select the type of phone that the number is associated with (iPhone, Android, or Windows Phone) and press Continue.

    4. Download the Duo Mobile Application on the new device you are adding, if not already downloaded:

    5. Configure the Duo App on your mobile device and finish adding the device in MFA Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that the Duo app is installed on the desired device

      3. In the Duo App on your device, tap the plus sign button.

      4. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

        The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

        Barcode with a green check mark indicating that the device was successfully registered

    1. Select Tablet then press Continue.

      Device type list with Tablet selected

    2. Select your device type (iOS or Android) and press Continue.

    3. Download the Duo Mobile Application for iOS or Android on your tablet, if not already downloaded:

    4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:
      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that the Duo app is installed on the desired device

    5. In the Duo App on your device, tap the plus sign button.

    6. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

      The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

      Barcode with a green check mark indicating that the device was successfully registered

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

Setting up Duo for the first time on mobile devices:

Note: This document is only for setup if you're planning to use a smartphone or tablet with MFA Duo.

Background:

UW-Madison has selected Duo as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone, tablet or token.

More on the Duo Multi-factor Authentication Project can be found on here: MFA-Duo - What is Duo Multi-factor Authentication?.

Items needed for First Time Setup:

  1. Smartphone or tablet running supported platform.
  2. Smartphone or tablet connected to Wi-Fi or cellular data network.
  3. Separate device with a web browser (not the smartphone or tablet you are registering).
  4. Duo Mobile App. You will be prompted to download this free application during the setup process.

First Time Setup Process for smartphone or tablet:

  1. Open a browser on a device other than the smartphone/tablet you are trying to register.
  2. Navigate to www.mfa.wisc.edu. When prompted, authenticate with your NetID and password.
  3. Click on Register Smartphone or Tablet
  4. MFA Portal section to registar smartphone or tablet

  5. Click the Start setup button.
  6. Prompt to start setup

  7. Select the device type you would like to add.

    1. Select Mobile Phone then press Continue.

      List of devices with Mobile selected

    2. Enter the phone number of the device. Next, verify this is the correct number of the device by checking the box. Now press Continue.

      Prompt for phone number in the available field

    3. Select the type of phone that the number is associated with and press Continue.

      Prompt for the phone type, or operating system
    4. Download the Duo Mobile Application for your device:

    5. Configure the Duo App on your mobile device and finish adding the device in MFA Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt to verify that Duo is installed on the desired device

      3. In the Duo App on your device, tap the plus sign button in the top right.

      4. View from the duo app on the mobile device, with the Add or Plus sign button highlighted
      5. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

        The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

        Barcode with a green check mark indicating that the registration was successful

      6. You will see the following screen in your browser if your first device registration is successful, and your mobile phone should return to the Duo home screen. You will be prompted to start using MFA within one day.

        A success message indicating that your NetID account is now enrolled in Duo


    1. Select Tablet then press Continue.

      List of device options with Tablet selected

    2. Select iOS or Android (depending on your device) then press Continue.

      Select the operating system of the tablet
    3. Download the Duo Mobile Application for iOS or Android:

    4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:

      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt to verify that the Duo app is installed on the tablet

      3. In the Duo App on your tablet, tap the plus sign button in the top right.

      4. View from the Duo application on the device with the Add or Plus Sign button highlighted
      5. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

        The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

        Barcode with a green check mark indicating that the registration was successful

      6. You will see the following screen in your browser if your first device registration is successful, and your tablet should return to the Duo home screen. You will be prompted to start using MFA within one day.

        Green message indicating that your NetID is now enrolled in Duo


  8. Optional - To set your default login settings, see

    MFA-Duo - Setting a Default Login Device.

  9. UW-Madison encourages users to add multiple devices in the event that they lose access to a single device. Instructions for adding devices can be found here:

MFA-Duo - Adding Secondary/Backup Devices

MFA-Duo - Generating Backup Passcodes for Future Use

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

Adding a secondary/backup device:

Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.

Adding another device:

  1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.

  2. Click Manage MFA Preferences and Devices.

    • Note: You will need to authenticate using an existing multi-factor authentication device.
  3. Click Add Another Device.

    My Settings and Devices with Add Another Device highlighted

  4. Follow the instructions specific to the device type you would like to add.

    1. Select Mobile phone then press Continue.

      Device type list with Mobile selected

    2. Enter the phone number of the device. Next, verify this is the correct number of the device by checking the box. Now press Continue.

      Phone number entered into the field

    3. Select the type of phone that the number is associated with (iPhone, Android, or Windows Phone) and press Continue.

    4. Download the Duo Mobile Application on the new device you are adding, if not already downloaded:

    5. Configure the Duo App on your mobile device and finish adding the device in MFA Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that Duo app is installed on the desired device

      3. In the Duo App on your device, tap the plus sign button.

      4. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

        The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

        Barcode with green check mark indicating that the registration was successful

    1. Select Tablet then press Continue.

      Device type list with Tablet selected

    2. Select your device type (iOS or Android) and press Continue.

    3. Download the Duo Mobile Application for iOS or Android on your tablet, if not already downloaded:

    4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:
      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that Duo app is installed on desired device

    5. In the Duo App on your device, tap the plus sign button.

    6. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

      The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

      Barcode with green check mark indicating the device was registered successfully

      Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.
      1. Go to https://go.wisc.edu/token.

      2. Log in with your NetID and password.

      • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

    • Select the type of token that you have.

      MFA Portal token/fob section with two options: register or resynchronize a device

    • Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

    • Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

    • Click Register Duo Token/Fob.

    • The token will now be registered with your account.

    • Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

    • Please note that one of the token images resembles a Yubikey token. Yubikey tokens are not supported by the UW Madison MFA project.

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      MFA only supports the U2F authentication method in the Google Chrome browser, so we highly recommend you use the U2F feature as a SECONDARY authentication method and have at least one other device enrolled.

      1. Login to the MFA Portal.

      2. Click Register Token/Fob or USB Security Key.

        MFA Portal token/fob section with two options: register or resynchronize device

      3. Click USB Security Key.

        Selection of three device types: Duo, OTP c100, Security Key

      4. Enter the serial number, found on the back of the USB device. Plug the device into a USB port, and tap the button on the device to enter a six-digit passcode into the field under Step 3.

        Prompt for the USB Security Key serial number which is printed on the back of the device.  Once entered, another prompt requests that you plug in the USB device then tap the button to generate a code into the field

      5. In the lower window, authenticate to duo using your USB token. Then click +Add another device. Select Security Key.

        Prompt for authentication with the USB token
      6. Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.

        the options Back and Continue which will appear after selecting Security Key from the device types.

        pop-up window that appears after clicking continue on the previous screen, prompting the user to insert the security key into a USB port and to tap the button.

      7. Tap the button on your device to complete enrollment.


      If run into any issues or have any questions, please contact the DoIT Help Desk.

      The security key allows MFA-Duo users to insert the security key into the USB port of their computer or laptop to authenticate. This security key requires a reachable USB port, but this security key also works with a laptop or desktop USB to USB-C adaptor. The key is not compatible with mobile devices and only works with laptop or desktop computers. 

      The security key experience is slightly different for the following modes of logging in: 

      See below for details on these modes. 

      Chrome web browser login 

      When logging in to a UW-Madison website or apps using Chrome (version 70 or later), insert the security key into your USB port, select Security Key (U2F) from the device dropdown menu, and lightly touch the impressed sensor button to initiate login. 

      Non-Chrome web browser or local software login

      When logging into a UW-Madison website or app in Firefox or Safari, insert the security key into your USB port. Select Token from the device dropdown menu, and click the "Enter passcode" button to make the passcode input field editable. Then lightly touch the impressed sensor button to insert the passcode in the input field. If you are using a screen reader or other assistive technology, the security key may enter the passcode so quickly you may not hear the full code. The audio cue may only include the last digit of the code. Click the login button to complete authentication, as the full code should have populated the field. 

      (See How to use a Feitian USB Security Key for more details and screenshots on the Chrome web browser login.)  

      How to get a security key

      Faculty and Staff New staff: Get a Feitian security key from your HR representative. Feitian security keys can also be picked up at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. Current staff can get a Feitian security key at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. 

      Students: Get a token or security key at no charge, at either the Walk-in Help Desk at 1210 W. Dayton St. or the pop-up Help Desks from early September through October 31, 2019. Locations and times for the pop-up Help Desks will be posted on the UW-Madison Events Calendar soon. After October 31, tokens or security keys can be picked up at the Walk-In Help Desk at 1210 W. Dayton St. For other assistance, contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.  

        See accessibility & usability information

        We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

        For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

        How to get access to a Security Key or Duo Token/Fob 

        Students

        Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

        Faculty, Staff, and Researchers

        Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    • At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!

    Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.


    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    How many devices can I use with Duo?

    Duo has the following limitations per user:
    • 100 phones per use
    • 100 OTP tokens per user • 100 U2F tokens per user

    More details can be found here: Duo Docs - What are the one-to-many object limits in Duo?

    Managing MFA device settings:

    Note: This document is intended for use after you have already registered at least 1 device (smartphone, tablet or token). If you have not yet registered a device, see MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account

    Accessing the Multi-Factor Authentication Portal

    1. To access the Multi-Factor Authentication Portal, navigate to www.mfa.wisc.edu log in with your NetID and password.
    2. Click on Manage MFA Preferences & Devices.
    3. You will be prompted to use MFA to authenticate at this point.
    4. You will now see the My Settings & Devices page which lists the devices that you have already registered for MFA.
    5. Clicking Device Options button next to the device presents a list of available options for the device.
    • Reactivate Duo Mobile (Smartphone, Tablet): Allows you to complete the setup of Duo Mobile on a device if the app was uninstalled or you received a new smartphone or tablet.
    • Change Device Name (Smartphone, Tablet): Allows you to change the name of the device.
    • Red Trash Icon (Smartphone, Tablet, Token): Allows you to remove the device from your approved devices.
      • Note: if you have only one MFA device registered, you will not see the Red Trash Icon.
    My Settings and Devices page of the MFA portal

    Add Another Device (Recommended)

    UW-Madison encourages users to add multiple devices in the event that they lose access to a single device.

    To add another device, follow the instructions here: MFA-Duo - Adding Secondary/Backup Devices.

    Default Device Settings

    • Default Device: Allows you to pick the default device that you log in with.
    • When I log in Allows you to select the default authentication method. UW-Madison recommends you do NOT select 'Automatically send this device a Duo Push'. If you select to automatically send a push to this device, you will not have the opportunity to select 'remember me for 12 hours' during the initial login push.

    More on default devices can be found here: MFA-Duo - Setting a Default Login Device

    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    When do Duo Push authentication attempts expire?

    Duo Push authentication attempts expire after 60 seconds of no response.
    This isn't time is not configurable.

    What to do if you aren't receiving push notifications on your device:

    There are two main reasons you may not receive push notifications from Duo on your phone:

    1. Notifications are not enabled.
    2. Unstable cellular/data/wifi connection on your phone.

    Follow the steps below to resolve this issue:

    Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:

    Clip of a mobile device in the Duo app with the screen being dragged downward to refresh notifications

    When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.

    If push works by manually pulling to refresh but notifications are not received, it is most likely because you selected not to receive notifications when installing the application.

    To check if push notifications are enabled for Duo Mobile, and re-enable them if needed, follow these steps:

    1. On the iPhone, open Settings.

    2. Scroll down and select Duo Mobile.

    3. Select Notifications.

    4. If "Allow Notifications" box is already checked, uncheck and then re-check it. If it was not yet checked, check it. Verify that notifications are configured how you want them.

      iOS Settings with Allow Notifications toggled on

    5. Fully close (double-tap home button and swipe up) Duo Mobile.

    6. Open Duo Mobile again.

    Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app:

    Clip of mobile device in the Duo app with the screen being pulled downward to refresh notifications

    When you do this, the Duo Mobile application will reach out to the Duo cloud service directly to check for login requests rather than using the push notification services. This is generally the most reliable way of receiving a login request and should work if the app and account are functioning properly.

    If pull to refresh works

    If manually checking works, then the issue is related to the Google Cloud Messaging (GCM) push notification service and Duo Mobile registering for pushes correctly. This will often fix itself after you pull-to-refresh. Sometimes there are issues with GCM on the device, like out-of-date play services, that prevent the device from receiving push notifications properly, you should update Google Play Services if possible to alleviate this.

    If it's an issue with the long-lived connection to GCM on the device, toggling Wi-Fi off and back on may fix the issue.

    Clearing the Duo Mobile application cache can also resolve delivery issues.

    1. Open Settings.

    2. Select Apps and scroll down to select Duo Mobile.

    3. On the App Info page, tap Clear Cache.

    If checking for and enabling notifications doesn't resolve your issue, the problem is most likely due to an unstable celluar/data/wifi connection on your phone. In this case, use the Duo Mobile app to generate a passcode: MFA-Duo - Obtaining a Passcode from the Duo Mobile App.

    Example error messages you may receive when due to an unstable cellular/data/wifi connection on your phone:

    Duo notification that reads Unknown Error

    Duo notification that reads Network Timeout

    What should you do when changing SIM card/phone number/phone?

    Changing SIM Card

    Changing your SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone's hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/ wi-fi service). To generate a passcode:

    • Simply open the Duo Mobile app and click the UW Madison NetID Login down arrow located at the upper right-hand corner of your smartphone. This will generate a six-digit temporary passcode.
    • Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.

    Permanently Changing Phone Number

    Assuming the user still has Duo Mobile installed and the ability to authenticate via push or a passcode, they should follow the procedure for adding a new device. See MFA-Duo - Adding Secondary/Backup Devices

    If they do not have any means of authenticating they should contact their help desk. We recommend deleting the old device as soon as possible, see MFA-Duo - Removing Devices

    Changing Phone

    Note: If you do not have access to your previously registered phone, you will need to get a temporary code to be able to access the Multi-Factor Authentication Portal in order to add your new phone. See MFA-Duo - Request a Temporary Passcode

    Since Duo Mobile is tied to a specific device's HSM, the user will need to reinstall and reactivate Duo Mobile on their new phone. See MFA-Duo - First Time Setup for Smartphone or Tablet

    Changing Phone, Keeping same phone number

    In this scenario, you will simply need to reactivate Duo Mobile for your new phone by visiting mfa.wisc.edu.

    1. Login with your NetID and password.

    2. Click Manage MFA Preferences and Devices.

    3. You will be prompted for MFA. If you do not have access to your previously registered phone, you will need to get a temporary code to be able to access the Multi-Factor Authentication Portal. See MFA-Duo - Request a Temporary Passcode

    4. Click the Device Options button next to your previously registered phone.

    5. Click Reactivate Duo Mobile.

    6. Install Duo Mobile on your new phone.

    7. Click I have Duo Mobile Installed.

    8. Follow the onscreen prompts to scan the QR code.

    9. Your phone should now be reactivated and ready for use with MFA Duo.


    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    Token, Fob, and USB Security Key Questions:

    What is a token/fob?

    Duo tokenOTP c100 token

    If you need a MFA token/fob, please contact your human resources or IT department, or visit the DoIT Help Desk. 


    Who pays for MFA tokens/fobs?

    MFA tokens/fobs will be provided at no cost to faculty, staff, and students. This includes replacements for tokens/fobs that have been lost, stolen, or damaged.

    How do I register my MFA token/fob?

    How do I use my MFA token/fob?


     

    Registering a token/fob:

    Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.
    1. Go to https://go.wisc.edu/token.

    2. Log in with your NetID and password.

    • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

  5. Select the type of token that you have.

    MFA Portal token/fob section with two options: register or resynchronize a device

  6. Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

  7. Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

  8. Click Register Duo Token/Fob.

  9. The token will now be registered with your account.

  10. Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

  11. Please note that one of the token images resembles a Yubikey token. Yubikey tokens are not supported by the UW Madison MFA project.

    Registering a U2F USB Security Key:

    MFA only supports the U2F authentication method in the Google Chrome browser, so we highly recommend you use the U2F feature as a SECONDARY authentication method and have at least one other device enrolled.

    1. Login to the MFA Portal.

    2. Click Register Token/Fob or USB Security Key.

      MFA Portal token/fob section with two options: register or resynchronize device

    3. Click USB Security Key.

      Selection of three device types: Duo, OTP c100, Security Key

    4. Enter the serial number, found on the back of the USB device. Plug the device into a USB port, and tap the button on the device to enter a six-digit passcode into the field under Step 3.

      Prompt for the USB Security Key serial number which is printed on the back of the device.  Once entered, another prompt requests that you plug in the USB device then tap the button to generate a code into the field

    5. In the lower window, authenticate to duo using your USB token. Then click +Add another device. Select Security Key.

      Prompt for authentication with the USB token
    6. Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.

      the options Back and Continue which will appear after selecting Security Key from the device types.

      pop-up window that appears after clicking continue on the previous screen, prompting the user to insert the security key into a USB port and to tap the button.

    7. Tap the button on your device to complete enrollment.


    If run into any issues or have any questions, please contact the DoIT Help Desk.

    The security key allows MFA-Duo users to insert the security key into the USB port of their computer or laptop to authenticate. This security key requires a reachable USB port, but this security key also works with a laptop or desktop USB to USB-C adaptor. The key is not compatible with mobile devices and only works with laptop or desktop computers. 

    The security key experience is slightly different for the following modes of logging in: 

    See below for details on these modes. 

    Chrome web browser login 

    When logging in to a UW-Madison website or apps using Chrome (version 70 or later), insert the security key into your USB port, select Security Key (U2F) from the device dropdown menu, and lightly touch the impressed sensor button to initiate login. 

    Non-Chrome web browser or local software login

    When logging into a UW-Madison website or app in Firefox or Safari, insert the security key into your USB port. Select Token from the device dropdown menu, and click the "Enter passcode" button to make the passcode input field editable. Then lightly touch the impressed sensor button to insert the passcode in the input field. If you are using a screen reader or other assistive technology, the security key may enter the passcode so quickly you may not hear the full code. The audio cue may only include the last digit of the code. Click the login button to complete authentication, as the full code should have populated the field. 

    (See How to use a Feitian USB Security Key for more details and screenshots on the Chrome web browser login.)  

    How to get a security key

    Faculty and Staff New staff: Get a Feitian security key from your HR representative. Feitian security keys can also be picked up at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. Current staff can get a Feitian security key at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. 

    Students: Get a token or security key at no charge, at either the Walk-in Help Desk at 1210 W. Dayton St. or the pop-up Help Desks from early September through October 31, 2019. Locations and times for the pop-up Help Desks will be posted on the UW-Madison Events Calendar soon. After October 31, tokens or security keys can be picked up at the Walk-In Help Desk at 1210 W. Dayton St. For other assistance, contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.  

      What if my token/fob stops working?

      Note: This document is intended for tokens that have already been registered with your account. If you have not yet registered your token, see MFA-Duo - How to Register a Token/Fob

      Incorrect Passcode Errors

      Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login.

      Error message indicating an incorrect passcode

      If this happens to your token, you will see the error message above when attempting to log in. Your token can get "out of sync" by accident if it is stored next to other objects in a pocket, backpack, etc. or if the button is intentionally pressed repeatedly. There are two ways to resynchronize your token/fob.

      Method One

      To resynchronize your token/fob using the first method, follow the steps below:

      1. Log in with your NetID and password to the Duo Device Management Portal and click on Resynchronize Token/Fob or USB Security Key.

        Token/fob section of the MFA portal with two options: register or resynchronize

      2. Making sure that the token's button is oriented to the left, press the button to generate three distinct passcodes and enter each into one of the blank fields. Click Resynchronize Device.

        Prompt with three fields requesting three unique passcodes from the token being synchronized

      Method Two

      To resynchronize your token/fob using the second method, generate three passcodes in a row and attempt to log in with each passcode. You'll need to delete the passcode from the entry field before generating the next passcode and attempting to log in. On the fourth attempt, you should be able to log in.

      If your token still doesn't allow you to authenticate after trying both resynchronization methods, please call the DoIT Help Desk at (608) 264-HELP (4357).


      Token Display No Longer Works

      This is an indication that the token's battery has died. Since the batteries cannot be replaced, you'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.


      Token Displaying Unusual Characters, Generating Unusual Passwords, or Displaying the Same Code Repeatedly

      This is an indication that the token has malfunctioned. You'll need to obtain a replacement token. Contact your human resources department, IT department, or visit the DoIT Help Desk on Dayton Street to get a new token.



      Using Feitian USB security keys and compatibility:

      The security key allows MFA-Duo users to insert the security key into the USB port of their computer or laptop to authenticate. This security key requires a reachable USB port, but this security key also works with a laptop or desktop USB to USB-C adaptor. The key is not compatible with mobile devices and only works with laptop or desktop computers. 

      The security key experience is slightly different for the following modes of logging in: 

      See below for details on these modes. 

      Chrome web browser login 

      When logging in to a UW-Madison website or apps using Chrome (version 70 or later), insert the security key into your USB port, select Security Key (U2F) from the device dropdown menu, and lightly touch the impressed sensor button to initiate login. 

      Non-Chrome web browser or local software login

      When logging into a UW-Madison website or app in Firefox or Safari, insert the security key into your USB port. Select Token from the device dropdown menu, and click the "Enter passcode" button to make the passcode input field editable. Then lightly touch the impressed sensor button to insert the passcode in the input field. If you are using a screen reader or other assistive technology, the security key may enter the passcode so quickly you may not hear the full code. The audio cue may only include the last digit of the code. Click the login button to complete authentication, as the full code should have populated the field. 

      (See How to use a Feitian USB Security Key for more details and screenshots on the Chrome web browser login.)  

      How to get a security key

      Faculty and Staff New staff: Get a Feitian security key from your HR representative. Feitian security keys can also be picked up at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. Current staff can get a Feitian security key at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. 

      Students: Get a token or security key at no charge, at either the Walk-in Help Desk at 1210 W. Dayton St. or the pop-up Help Desks from early September through October 31, 2019. Locations and times for the pop-up Help Desks will be posted on the UW-Madison Events Calendar soon. After October 31, tokens or security keys can be picked up at the Walk-In Help Desk at 1210 W. Dayton St. For other assistance, contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.  

        How to perform first time setup for tokens and fobs:

        Note: This document is only for setup if you're planning to use a token instead of a smartphone/tablet with MFA Duo. If you're planning to use a smartphone/tablet, see MFA-Duo - First Time Setup for Smartphone or Tablet.

        UW-Madison has selected Duo Multi-factor Authentication as our solution for Multi-factor Authentication. In order to utilize Multi-factor authentication, you will need to set it up on a smartphone or tablet.

        More on the Duo Multi-factor Authentication Project can be found on the MFA-Duo Authentication Project's website.

        First Token

        Instructions for setting up your first token can be found here: MFA-Duo - How to Register a Token/Fob.

        Additional Tokens/Devices

        UW-Madison encourages users to add multiple devices in the event that they lose access to a single device. Instructions for adding devices can be found here:

        MFA-Duo - Adding Secondary/Backup Devices

        MFA-Duo - Generating Backup Passcodes for Future Use

        What to do when you found a lost token/fob?

        Return lost tokens/fobs to the DoIT Help Desk as soon as possible.


        Passcode Questions:

        Generating a backup passcode:

        Generating Backup Passcodes for Future Use

        1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.
        2. Click the blue Create Backup Passcodes button.
        3. MFA portal section for generating backup passcodes

        4. Click the blue Print Backup Passcodes button.
        5. Green message indicating that the passcodes have been created, with a button labeled Print Backup Passcodes

        6. Click Print to print your passcodes or write them down if you do not have access to a printer
        7. Print dialogue with the backup passcodes displayed as a document


        Handling Your Backup Codes

        • Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.
        • Generating new backup codes will invalidate your previous backup codes.
        • Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.
        • Each code can only be used once so we recommend crossing them off as you use them.

        Requesting a temporary passcode:

        Note: Not all users are eligible to generate temporary passcodes as eligibility depends on security classification of the individual.

        Requesting temporary passcodes should only be used in situations when you do not have access to your MFA device. It should not be used as a routine MFA-Duo login method.

        If this process does not work for you or you receive an error, call the DoIT Help Desk (608) 264-4357 so an agent can verify your identity and issue you a temporary bypass code.

        1. Log in with your NetID and password to the MFA-Duo Temporary Passcode Request application at: https://login.wisc.edu/duo-recovery.

        2. Answer the security questions and click Next (these are the same security questions you set up for your NetID):

        3. Duo passcode request page with three security questions

        4. Once your temporary passcode is generated, click Copy or take note of your temporary passcode:

        5. Temporary passcode is provided and a copy button appears to the right of the field allowing you to copy the passcode to your clipboard

        6. You may use this code for 12 hours to login via MFA-Duo. Be sure to select Enter a Passcode at the MFA-Duo prompt and enter your passcode.

          Duo prompt with options to send a push or enter a passcode - enter a passcode is highlighted and should be used with the temporary passcode that was generated
        7. If you're trying to use this code to add a new MFA device, see: MFA-Duo - Adding Secondary/Backup Devices 

        Obtaining a passcode from Duo Mobile app:

        This feature is great for situations when your phone doesn't have a stable cellular data or wifi connection. This feature can even be used with your phone is in airplane mode or when you are traveling outside of the US.
        1. At the MFA Duo prompt, select Enter a Passcode.

        2. Duo authentication page with options to send push or enter passcode
           
        3. Open the Duo Mobile app on your device.
        4. Click the UW Madison item in your app.

        5. Duo Mobile app with entry for UW Madison NetID Login
        6. A 6-digit passcode will be presented. Enter that passcode in the MFA Duo prompt to complete the login process.

        • If the code doesn't work, click the refresh icon next to the code to generate a new code.
        • The code below is simply an example and not to be used to login.
          Expanded profile for the UW Madison NetID login entry with a six-digit passcode



        Keywords:duo mfa how fob token tokens mobile android iphone device authentication security passcode devices eligible eligibility enroll NetID activate reactivate set up secondary backup limitations limits limit limitation OTP U2F settings push expire expiration expires SIM card change changing key feitian compatibility setup first time lost generate app how faq   Doc ID:109870
        Owner:Vadym P.Group:Identity and Access Management
        Created:2021-03-24 11:30 CSTUpdated:2021-04-02 13:38 CST
        Sites:DoIT Help Desk, Identity and Access Management
        CleanURL:https://kb.wisc.edu/iam/mfa-duo-frequently-asked-questions-limitations
        Feedback:  5   1