MFA-Duo - Child Accounts and MFA for non-netid services

MFA/Duo Child Accounts will not be available going forward. IAM is moving to a model that makes Duo a feature of NetID Login, not an independent service. *Notable: There are no plans to unwind existing Child Accounts.

________________________


Duo Child Accounts allow campus system administrators to leverage Duo for systems that are not integrated with NetID-based authentication.

BACKGROUND:

UW System Administrative Policies 1030 and 1031 mandate that we implement a multi-factor authentication system where restricted or sensitive data exists or is accessible. UW-Madison selected Duo Security (https://duo.com/docs/platform_overview) as its Multi-Factor Authentication (MFA) solution. The general campus offering for Duo MFA is integrated with the NetID Login Service.

IMPACT:

A number of areas have already set up child accounts. This means individuals on campus may have more than one MFA/Duo Account at UW-Madison. Issues may arise with either or both accounts depending on the central cause of the problem. In those cases, individuals may reach out to the Help Desk to resolve.  A determination will need to be made on which account or accounts are impacted and then direct the issue to the appropriate contact.

 

NEW CHILD ACCOUNT:

MFA/Duo Child Accounts will not be available going forward. IAM is moving to a model that makes Duo a feature of NetID Login, not an independent service. Notable: There are no plans to unwind existing Child Accounts.

 

CONTACT: 

For UW-Madison issues/questions, contact Identity & Access Management Team, mstsupport@doit.wisc.edu

 

Frequently Asked Questions:

  • Will there be additional costs associated with a child account?
    • Answer: No additional costs for MFA licensing, however, if the child account administrators choose to enable telephone/telephony authentication, the owners of the child account will be responsible for any associated costs. 
  • Do I have to use a separate token for the child account?
    • Answer: Yes. Tokens cannot be used across multiple accounts, so child account owners will need to fund and procure tokens if they wish to allow users to use tokens to authenticate to their child account.
  • Where do I go for support of a child account?
    • Answer: For ongoing support of administering the child account , contact Duo (link/info) directly. For users of a child account, contact your child account administrator. DoIT Identity & Access Management or Help Desk will not be responsible for assisting with child accounts other than initial account setup.
  • How do I request a new child account?
    • Answer: MFA/Duo Child Accounts will not be available going forward. IAM is moving to a model that makes Duo a feature of NetID Login, not an independent service. *Notable: There are no plans to unwind existing Child Accounts.