UWSC Support - Multi-Factor Authentication Frequently Asked Questions and Answers
FAQs concerning the use of multi-factor authentication to access UW System Common Systems
With technology advances and new emerging information technology security threats, University of Wisconsin institutions have an increased responsibility to provide additional security measures to ensure that the data we collect, consume, and store is protected from unauthorized access. The UW System has developed a stronger method for users (Core Users) to authenticate to common UW information systems that store and process restricted and sensitive data. This effort is known as Multi-Factor Authentication (MFA). This authentication method is also sometimes referred to as two-step or two-factor authentication.
MFA One-Time Password (OTP) devices have been selected as the technical platform to address our need for two-factor authentication. An OTP is valid for only one login session. The OTP platform requires the Core User, one who uses software that contains confidential information, to use an approved high-level security device (currently an OTP FOB or the Symantec VIP smartphone app) that is synchronized with a server to generate the password. All users that are required to use MFA are required to use the generated OTPs as second factors, in addition to their campus credentials, to authenticate to any software application that requires it (e.g. HRS, SFS, EPM, OIM, etc.)
Q1. Who are the Core Users on my campus? How are they determined?
See this document: https://uwservice.wisc.edu/docs/publications/hrs-epm-classification.pdf
Q2. What does this mean to me (the Core User)?
Core Users with access to other people’s sensitive or restrictive information must use one-time passwords (OTP) generated from the approved FOBs or smartphone OTP apps in addition to their campus credentials to access systems that require MFA.
HRS users who only have the following HRS access are excluded from the MFA effort:
Manager self-service for Time and Labor/Absence Management Employee self-service for time reporting Talent Acquisition Management eBenefits
Q3. What can users use to generate OTP?
1. Core Users must use approved FOBs or smartphone OTP apps to generate OTPs. No other electronic devices are allowed to be used for MFA (e.g. tablets, laptops, etc.).
2. The electronic device used to create an OTP and the electronic device used to access software that contains the sensitive or restricted information being protected by MFA may NOT be the same device.
Q4. Can I use both; a smartphone OTP app and a FOB, as devices to generate an OTP?
No! Users will only be allowed to use one of these options at one time.
Q5. How many times can a User request a static OTP?
Core Users are expected to use the chosen device in addition to your campus credential to authenticate to systems that require strong authentication on a regular basis. Currently there is no limit on how many times a Core User can request a temporary OTP. However, UW System monitors the pattern of contingency access usage and may also issue a report to the supervisor of a Core User if the Core user request temporary OTP more than five times in a month.
Q6. What are the device options?
UW Digital ID Team approved Symantec VIP FOBs or smartphone OTP app.
Q7. What should I do if I don’t have my device with me when I need to authenticate to HRS?
Core Users are able to use either one of the following options to request temporary one-time passwords when they don’t have their OTP device to authenticate to systems that require MFA:
1. Login to the UW Digitial ID website to request temporary OTP: Core Users can access the website 24 hours a day, 7 days a week.
Note! If a Core User chooses to receive the temporary OTP via text message, there may be a fee associated with each OTP text message. Core Users are responsible for paying for these text message fees.
2. Seek help from a campus LRA (Local Registration Authority)
or DoIT Help Desk during their normal business hours.
Q8. How long will the temporary OTP be valid?
It will expire at midnight on the day it was created.
Q9. Do I need to bring any form(s) of Identification when I visit my LRA to get my smartphone OTP app provisioned or to get a new FOB?
You’ll need two forms of valid (unexpired) IDs. One has to be your campus photo ID and another one has to be a government-issued photo ID such as driver’s license or passport.
Q10. Where do I look for training material?
Training material may be found in the UW Digital ID Knowledgebase.
Q10. Who are the LRAs at the different campuses?
Log into the OTP Website at https://uwdigitalid.wisconsin.edu and select "Find Help"
and you will see the image below at the top of the web page:
Click on the down-arrow and you will see a full list of the UW institutions:
E.g. Select UW Parkside and you will see all of the LRAs for that campus:
Q11. What do I do if I get the "Unable to Continue" error on my smartphone when attempting to get an OTP?
Here's what the error looks like:
- Close the app and re-launch it.
- Try disconnecting and reconnecting to your Wi-Fi.
- If neither 1 nor 2 work, then:
- Uninstall the app.
- Reinstall the app.
- Visit an LRA to have your old app changed to your new app (you will need to present two forms of government issued photo IDs; one being your UW ID card).
Term, Abbreviation or Acronym
These are employees who can access other people’s sensitive or restrictive information which now requires multi-factor authentication (MFA).
Local Registration Authority. The LRA representatives are responsible for identifying Core Users and credentialing, activating, disabling, de-activating, and troubleshooting OTP devices and accounts.
Authentication containing at least two of the three quality mechanisms:
Something a person "knows" – Passwords, PIN numbers, passphrases, a secret handshake, and mother's maiden name.
Something a person "has" – Identity badges/cards, physical keys, a driver’s license, unique uniform, and digital certificates.
Something a person "is" – These authenticators, called biometrics, are based on a physical characteristic of a person, such as fingerprint, voice pattern, retinal pattern, or facial recognition.
One Time Password
Devices used to generate a One Time Password; either a FOB or Smartphone OTP app
A State-issued device that is used to generate a One Time Password.
Smartphone OTP App
A smartphone app that is used to generate an OTP