MFA-Duo - Best Practices for Using Duo
This document will highlight the best practices for using MFA Duo.
1. Register more than 1 device or generate backup codes for future use
Note: You will need to be able to authenticate with Duo in order to reach the page to generate backup passcodes. If you currently cannot sign into Duo, try generating a temporary passcode (see MFA-Duo - Request a Temporary Passcode).
Generating Backup Passcodes for Future Use
- Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. You will also be asked to approve the login through your existing multi-factor authentication devices.
- Click the blue Create Backup Passcodes button.
- Click the blue Print Backup Passcodes button.
- Click Print to print your passcodes or write them down if you do not have access to a printer
Handling Your Backup Codes
- Backup codes should be stored in a secure but accessible location (such as a locked drawer or cabinet) while not in use.
- Generating new backup codes will invalidate your previous backup codes.
- Backup codes will expire after four months; The expiration date is displayed on the print-out below the passcodes.
- Each code can only be used once so we recommend crossing them off as you use them.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Note: If you are registering a new primary device and no longer have access to your currently-registered device, see MFA Duo – Reactivate Duo on a Mobile Device.
Adding another device:
Navigate to the Multi-Factor Authentication Portal at www.mfa.wisc.edu. Authenticate with your UW-Madison NetID and Password. authentication devices.
Click Manage MFA Preferences and Devices.
- Note: You will need to authenticate using an existing multi-factor authentication device.
Click Add Another Device.
-
Follow the instructions specific to the device type you would like to add.
Select Mobile phone then press Continue.
Enter the phone number of the device. Next, verify this is the correct number of the device by checking the box. Now press Continue.
Select the type of phone that the number is associated with (iPhone, Android, or Windows Phone) and press Continue.
-
Download the Duo Mobile Application on the new device you are adding, if not already downloaded:
iOS/iPhone: Download the Duo Mobile App from the App Store.
Android: Download the Duo Mobile App from the Google Play Store.
Windows Phone: Download the Duo Mobile App from the Microsoft Store.
-
Configure the Duo App on your mobile device and finish adding the device in MFA Portal:
Open the Duo App on your phone.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
In the MFA Portal, click I have Duo Mobile installed.
In the Duo App on your device, tap the plus sign button.
Using your device, scan the QR code on the screen in the MFA Portal and click Continue.
The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment
Select Tablet then press Continue.
Select your device type (iOS or Android) and press Continue.
Download the Duo Mobile Application for iOS or Android on your tablet, if not already downloaded:
iOS: Download the Duo Mobile App from the App Store.
Android: Download the Duo Mobile App from the Google Play Store.
- Configure the Duo App on your tablet and finish adding the device in MFA Portal:
Open the Duo App on your tablet.
Note: After opening the Duo App, you may be asked to accept notification and camera privileges. Click Allow if prompted.
In the MFA Portal, click I have Duo Mobile installed.
In the Duo App on your device, tap the plus sign button.
Using your device, scan the QR code on the screen in the MFA Portal and click Continue.
The following video from Duo demonstrates how to scan the QR code: Duo Self Enrollment
Go to https://go.wisc.edu/token.
Log in with your NetID and password.
Note: If you've already registered a device and are using MFA Duo, you'll be prompted to login with your NetID twice, then be prompted for MFA Duo.
Select the type of token that you have.
Enter the Token Serial Number in the appropriate field. The Token Serial Number may be entered with spaces/dashes or with numbers only; the format does not matter.
Making sure that the token's button is oriented to the left, press the button on the front of the token and enter the 6-digit passcode.
Click Register Duo Token/Fob.
The token will now be registered with your account.
Please note, if the token is the first MFA device you have registered, you'll will start being prompted for MFA.
Please note that one of the token images resembles a Yubikey token. Yubikey tokens are not supported by the UW Madison MFA project.
Note: You will need to obtain a token before you can register it. For information on how to obtain a token, see MFA-Duo - What is a token/fob?. It is very important that you not press the token button repeatedly prior to registering your token. This may cause the token to become out of sync and you will not be able to register it.See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
Login to the MFA Portal.
Click Register Token/Fob or USB Security Key.
Click USB Security Key.
Enter the serial number, found on the back of the USB device. Plug the device into a USB port, and tap the button on the device to enter a six-digit passcode into the field under Step 3.
In the lower window, authenticate to duo using your USB token. Then click +Add another device. Select Security Key.
Click Continue to bring up a popup window for enrolling your security key. The key will need to be plugged into a USB port on your computer.
Tap the button on your device to complete enrollment.
MFA only supports the U2F authentication method in the Google Chrome browser, so we highly recommend you use the U2F feature as a SECONDARY authentication method and have at least one other device enrolled.
If run into any issues or have any questions, please contact the DoIT Help Desk.
The security key allows MFA-Duo users to insert the security key into the USB port of their computer or laptop to authenticate. This security key requires a reachable USB port, but this security key also works with a laptop or desktop USB to USB-C adaptor. The key is not compatible with mobile devices and only works with laptop or desktop computers.
The security key experience is slightly different for the following modes of logging in. See below for details on these modes.
Chrome web browser login
When logging in to a UW-Madison website or apps using Chrome (version 70 or later), insert the security key into your USB port, select Security Key (U2F) from the device dropdown menu, and lightly touch the impressed sensor button to initiate login.
Non-Chrome web browser or local software login
When logging into a UW-Madison website or app in Firefox or Safari, insert the security key into your USB port. Select Token from the device dropdown menu, and click the "Enter passcode" button to make the passcode input field editable. Then lightly touch the impressed sensor button to insert the passcode in the input field. If you are using a screen reader or other assistive technology, the security key may enter the passcode so quickly you may not hear the full code. The audio cue may only include the last digit of the code. Click the login button to complete authentication, as the full code should have populated the field.
(See How to use a Feitian USB Security Key for more details and screenshots on the Chrome web browser login.)
How to get a security key
Faculty and Staff New staff: get a Feitian security key from your HR representative. Feitian security keys can also be picked up at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706. Current staff can get a Feitian security key at the Walk-In Help Desk at 1210 W. Dayton Street Madison, WI 53706.
Students: Get a token or security key at no charge, at either the Walk-in Help Desk at 1210 W. Dayton St. or the pop-up Help Desks from early September through October 31, 2019. Locations and times for the pop-up Help Desks will be posted on the UW-Madison Events Calendar soon. After October 31, tokens or security keys can be picked up at the Walk-In Help Desk at 1210 W. Dayton St. For other assistance, contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
At the portal screen, you should now see the device you have registered listed. The device has been registered successfully!
Note: If the device does not register or show up in the list of devices, try adding the device again. If it fails again, contact the DoIT Help Desk for assistance.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
2. Use the "Remember Me for 12 Hours" option
Note: The "Remember me for 12 hours" function is not currently working with Safari version 13.0.3 on Mac OS 10.14.6 (Mojave). Duo is aware of the issue, and it should be resolved soon.
Note: Some users have reported issues using "Remember me for 12 hours" on iOS version 14.2 across all browsers.
Please see the Troubleshooting section below if you find that "remember me" is not working for you.
In order to login with Duo Multi-factor Authentication, you must have first set up a device and linked it with your NetID. If you have not yet completed this, follow the instructions here: MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account
Using "Remember Me for 12 hours"
Navigate to a page that requires Duo Multi-factor Authentication after NetID login (e.g. MyUW).
Authenticate with your NetID and Password.
-
Before choosing an authentication method, check the box next to "Remember me for 12 hours".
- Proceed with your MFA Duo login as usual by clicking Send Me a Push or Enter a Passcode.
Note: If the "Remember me for 12 hours" option is grayed out, your MFA-Duo authentication method is set up to automatically send a push;
You can still use "Remember me for 12 hours" without changing device settings by:
- Click cancel on your initial push request.
- Click "Remember me for 12 hours".
- Proceed with your MFA Duo login as usual by clicking Send Me a Push or Enter a Passcode.

UW-Madison strongly recommends you do NOT select 'Automatically send this device a Duo Push' so that you can easily take advantage of "Remember me for 12 hours" Follow the steps below to change your MFA-Duo settings:
Changing your settings to no longer default to Push
Navigate to the Multi-Factor Authentication Portal.
Authenticate with your NetID and password, and with MFA-Duo.
Change the "When I log in" drop-down option to "Ask me to choose an authentication method."

Troubleshooting "Remember Me"
- If you close your browser or switch to a new browser.
- If you switch to a different computer.
- If you are using private/incognito browsing mode.
- If your browser does not allow cookies to be saved.
- If you clear your browser cookies
- Make sure that your internet browser allows cookies from the duosecurity.com domain to be stored in your browser.
- In Safari, go to Safari > Preferences > Privacy. Under Cookies and website data click Allow from websites I visit. Restart your browser and try "remember me" again.
- In Internet Explorer, go to Tools > Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored. Restart your browser and try "remember me" again.
- In Firefox, go to Firefox > Preferences > Privacy & Security. Ensure Third-Party Cookies are not blocked. Under Cookies and Site Data click Accept cookies and site data.
Restart your browser and try "remember me" again. - In Chrome, go to Preferences > Settings > Show advanced settings > Content settings. Ensure Block third-party cookies is not selected. Restart your browser and try "remember me" again.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
See accessibility & usability information
We work with our users to address access and usability barriers in the MFA user experience. Learn details about known access barriers and workarounds at MFA-Duo - Accessibility & Usability Information. If you encounter a barrier or need assistance, please contact the DoIT Help Desk or call (608) 264-4357.
For questions regarding how to get access to the MFA mobile app contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.
How to get access to a Security Key or Duo Token/Fob
Students
Students, to obtain a token/fob, please contact the DoIT Help Desk (608) 264-4357 or email help@doit.wisc.edu. Students with disabilities can also request a token or security key at the McBurney Disability Resource Center, 702 W. Johnson St., Suite #2104, Madison WI 53715 on the 2nd floor.
Faculty, Staff, and Researchers
Employees can get access to devices for MFA at their Human Resources Office or IT department. For questions contact the DoIT Help Desk at (608) 264-4357 or email help@doit.wisc.edu.