MFA-Duo - Best Practices for Using Duo

This document will highlight the best practices for using MFA Duo.

1. Register more than 1 device or generate backup codes for future use

If you've ever been in a situation where you don't have your MFA device with you, you know this can be a major inconvenience. Give yourself some options ahead of time so you don't get into a bind:

Note: You will need to be able to authenticate with Duo in order to reach the page to generate backup passcodes. If you currently cannot sign into Duo, try generating a temporary passcode (see MFA-Duo - Request a Temporary Passcode).

Generating Backup Passcodes for Future Use

  1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.

  2. Click the blue Create Backup Passcodes button.

    3. MFA portal section for generating backup passcodes

  3. Click the blue Print Backup Passcodes button.

    4. Green message indicating that the passcodes have been created, with a button labeled Print Backup Passcodes

  4. Click Print to print your passcodes or write them down if you do not have access to a printer

    5. Print dialogue with the backup passcodes displayed as a document


Handling Your Backup Codes

  • Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.

  • Generating new backup codes will invalidate your previous backup codes.

  • Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.

  • Each code can only be used once so we recommend crossing them off as you use them.

See accessibility & usability information

We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

How to get access to a Security Key or Duo Token/Fob 

Students

Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

Faculty, Staff, and Researchers

Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.

Adding another device:

  1. Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.

  2. Click Manage MFA Preferences and Devices.

    • Note: You will need to authenticate using an existing multi-factor authentication device.

  3. Click Add Another Device.

    My Settings and Devices with Add Another Device highlighted

  4. Follow the instructions specific to the device type you would like to add.

    1. Select Mobile phone then press Continue.

      Device type list with Mobile selected

    2. Enter the phone number of the device. Next, verify this is the correct number of the device by checking the box. Now press Continue.

      Phone number entered into the field

    3. Select the type of phone that the number is associated with (iPhone, Android, or Windows Phone) and press Continue.

    4. Download the Duo Mobile Application on the new device you are adding, if not already downloaded:

    5. Configure the Duo App on your mobile device and finish adding the device in MFA Portal:

      1. Open the Duo App on your phone.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that Duo app is installed on the desired device

      3. In the Duo App on your device, tap the plus sign button.

      4. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

        The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

        Barcode with green check mark indicating that the registration was successful

    1. Select Tablet then press Continue.

      Device type list with Tablet selected

    2. Select your device type (iOS or Android) and press Continue.

    3. Download the Duo Mobile Application for iOS or Android on your tablet, if not already downloaded:

    4. Configure the Duo App on your tablet and finish adding the device in MFA Portal:

      1. Open the Duo App on your tablet.

        Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.

      2. In the MFA Portal, click I have Duo Mobile installed.

        Prompt for confirmation that Duo app is installed on desired device

    5. In the Duo App on your device, tap the plus sign button.

    6. Using your device, scan the QR code on the screen in the MFA Portal and click Continue.

      The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment

      Barcode with green check mark indicating the device was registered successfully

      Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.

      1. Go to https://go.wisc.edu/token.

      2. Log in with your NetID and password.

      • Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.

    • Select the type of token that you have.

      MFA Portal token/fob section with two options: register or resynchronize a device

    • Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.

    • Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.

    • Click Register Duo Token/Fob.

    • The token will now be registered with your account.

    • Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.

      • Please note that one of the token images resembles a Yubikey token. Yubikey tokens are not supported by the UW Madison MFA project.

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      MFA only supports the U2F authentication method in the Google Chrome browser, so we highly recommend you use the U2F feature as a SECONDARY authentication method and have at least one other device enrolled.

      1. Login to the MFA Portal.

      2. Click Register Token/Fob or USB Security Key.

        MFA Portal token/fob section with two options: register or resynchronize device

      3. Click USB Security Key.

        Selection of three device types: Duo, OTP c100, Security Key

      4. Enter the serial number, found on the back of the USB device. Plug the device into a USB port, and tap the button on the device to enter a six-digit passcode into the field under Step 3.

        Prompt for the USB Security Key serial number which is printed on the back of the device. Once entered, another prompt requests that you plug in the USB device then tap the button to generate a code into the field

      5. In the lower window, authenticate to duo using your USB token. Then click +Add another device. Select Security Key.

        Prompt for authentication with the USB token

      6. Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.

        the options Back and Continue which will appear after selecting Security Key from the device types.

        pop-up window that appears after clicking continue on the previous screen, prompting the user to insert the security key into a USB port and to tap the button.

      7. Tap the button on your device to complete enrollment.


      If run into any issues or have any questions, please contact the DoIT Help Desk.

      The security key allows MFA-Duo users to insert the security key into the USB port of their computer or laptop to authenticate. This security key requires a reachable USB port, but this security key also works with a laptop or desktop USB to USB-C adaptor. The key is not compatible with mobile devices and only works with laptop or desktop computers. 

      The security key experience is slightly different for the following modes of logging in.  See below for details on these modes. 

      Chrome web browser login 

      When logging in to a UW-Madison website or apps using Chrome (version 70 or later), insert the security key into your USB port, select Security Key (U2F) from the device dropdown menu, and lightly touch the impressed sensor button to initiate login. 

      Non-Chrome web browser or local software login

      When logging into a UW-Madison website or app in Firefox or Safari, insert the security key into your USB port. Select Token from the device dropdown menu, and click the "Enter passcode" button to make the passcode input field editable. Then lightly touch the impressed sensor button to insert the passcode in the input field. If you are using a screen reader or other assistive technology, the security key may enter the passcode so quickly you may not hear the full code. The audio cue may only include the last digit of the code. Click the login button to complete authentication, as the full code should have populated the field. 

      (See How to use a Feitian USB Security Key for more details and screenshots on the Chrome web browser login.)  

      How to get a security key

      Faculty and Staff New staff: get a Feitian security key from your HR representative. Feitian security keys can also be picked up at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. Current staff can get a Feitian security key at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. 

      Students: Get a token or security key at no charge, at either the Walk-in Help Desk at 1210 W. Dayton St. or the pop-up Help Desks from early September through October 31, 2019. Locations and times for the pop-up Help Desks will be posted on the UW-Madison Events Calendar soon. After October 31, tokens or security keys can be picked up at the Walk-In Help Desk at 1210 W. Dayton St. For other assistance, contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.  

        See accessibility & usability information

        We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

        For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

        How to get access to a Security Key or Duo Token/Fob 

        Students

        Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

        Faculty, Staff, and Researchers

        Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    • At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!

    Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.


    See accessibility & usability information

    We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

    For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

    How to get access to a Security Key or Duo Token/Fob 

    Students

    Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

    Faculty, Staff, and Researchers

    Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

    2. Use the "Remember Me for 12 Hours" option

    Having to use MFA Duo for every NetID login session can become tedious. Use the "Remember Me for 12 Hours" option to minimize the number of times you'll need to authenticate with MFA Duo:

    Note: The "Remember me for 12 hours" function is not currently working with Safari version 13.0.3 on Mac OS 10.14.6 (Mojave). Duo is aware of the issue, and it should be resolved soon.

    Note: Some users have reported issues using "Remember me for 12 hours" on iOS version 14.2 across all browsers.

    Please see the Troubleshooting section below if you find that "remember me" is not working for you.

    In order to login with Duo Multi-factor Authentication, you must have first set up a device and linked it with your NetID. If you have not yet completed this, follow the instructions here: MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account

    Using "Remember Me for 12 hours"

    1. Navigate to a page that requires Duo Multi-factor Authentication after NetID login (e.g. MyUW).

    2. Authenticate with your NetID and Password.

    3. Before choosing an authentication method, check the box next to "Remember me for 12 hours".

      Remeber me for 12 hours checkbox is checked

    4. Proceed with your MFA Duo login as usual by clicking Send Me a Push or Enter a Passcode.

    Note: If the "Remember me for 12 hours" option is grayed out, your MFA-Duo authentication method is set up to automatically send a push;

    You can still use "Remember me for 12 hours" without changing device settings by:

    1. Click cancel on your initial push request.
      2. A banner notification that there is a pending Push to the duo device with a Cancel button on the banner

    2. Click "Remember me for 12 hours".
    3. Proceed with your MFA Duo login as usual by clicking Send Me a Push or Enter a Passcode.

    UW-Madison strongly recommends you do NOT select 'Automatically send this device a Duo Push' so that you can easily take advantage of "Remember me for 12 hours" Follow the steps below to change your MFA-Duo settings:

    Changing your settings to no longer default to Push

    1. Navigate to the Multi-Factor Authentication Portal.

    2. Authenticate with your NetID and password, and with MFA-Duo.

    3. Change the "When I log in" drop-down option to "Ask me to choose an authentication method."

      4. My settings and devices page with default device and default notification settings highlighted\


      Troubleshooting "Remember Me"

    Users may find that they are prompted for MFA-Duo within 12 hours even after they have selected the "remember me for 12 hours" box. The "remember me" feature relies on a browser cookie to function.

    "remember me" may not work in the following situations:
    • If you close your browser or switch to a new browser.
    • If you switch to a different computer.
    • If you are using private/incognito browsing mode.
    • If your browser does not allow cookies to be saved.
    • If you clear your browser cookies
    Here are some basic troubleshooting tips to ensure that "remember me" works.
    1. Make sure that your internet browser allows cookies from the duosecurity.com domain to be stored in your browser.
    • In Safari, go to Safari > Preferences > Privacy. Under Cookies and website data click Allow from websites I visit. Restart your browser and try "remember me" again.
    • In Internet Explorer, go to Tools > Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored. Restart your browser and try "remember me" again.
    • In Firefox, go to Firefox > Preferences > Privacy & Security. Ensure Third-Party Cookies are not blocked. Under Cookies and Site Data click Accept cookies and site data.
      Restart your browser and try "remember me" again.
    • In Chrome, go to Preferences > Settings > Show advanced settings > Content settings. Ensure Block third-party cookies is not selected. Restart your browser and try "remember me" again.
  5. If you have browser extensions or plug-ins installed, disable or remove them to see if "remember me" works. Many browser extensions and plug-ins prevent cookies.
  6. If the steps above do not resolve the issue, please contact the DoIT Help Desk.

      7. See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 

      See accessibility & usability information

      We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.

      For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.

      How to get access to a Security Key or Duo Token/Fob 

      Students

      Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.

      Faculty, Staff, and Researchers

      Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu. 



      Keywords:iphone ios android samsung lg galaxy application edit remove 2 two factor auth authentication login request approve   Doc ID:80774
      Owner:MST Support .Group:Identity and Access Management
      Created:2018-03-10 14:37 CSTUpdated:2022-05-25 14:15 CST
      Sites:DoIT Help Desk, Identity and Access Management
      Feedback:  0   1