Multi-factor Authentication (MFA) Frequently Asked Questions

Overview

This document contains answers to common questions regarding multi-factor authentication (MFA)

Click on the links below to skip directly to a section:

What is multi-Factor authentication and how will it affect me?

The goal of Multi-Factor Authentication (MFA) is to create a layered defense and make it more difficult for an unauthorized person to access your information. MFA adds an extra layer of security to your login process. It combines something you know (your username and password) with something you have (smartphone, fob) to verify your identity. This extra step helps to protect both your online identity and UW-Shared Services and UW System Administration digital assets.

To the top

How is multi-factor authentication being used at UW-Shared Services and UW-System Administration?

UW-Shared Services and UW System Administration is implementing MFA by Duo for the Office 365 login service.

To the top

How does multi-factor authentication affect me?

Chances are you are already using multi-factor authentication to log into your bank or Google. This second layer of protection combines something you know (your username and password) with something you have (smartphone or fob), preventing anyone but you from logging into a system.

UW-Shared Services and UW System Administration has partnered with Duo to provide this service. You will now need to log in to Office 365 by:

Entering your username (email address) and password, and
Confirming your identity with the Duo app on your device or by entering the six-digit code from your fob.
BY USING THE MULTI-FACTOR AUTHENTICATION APP (BY DUO) ON MY PERSONAL DEVICE, WILL MY PERSONAL COMMUNICATIONS OR DATA BE SUBJECT TO WISCONSIN’S PUBLIC RECORDS LAW OR BE SUBJECT TO A SUBPOENA REQUEST?

To the top


By using the multi-factor authentication app (by Duo) on my personal device, will my personal communications or data be subject to Wisconsin's public records law or be subject to a subpoena request?

The contents of strictly personal communications (texts, emails, voice messages) or data are not subject to the Wisconsin Public Records Law simply by using the app to verify your identity. Strictly personal means that it is not related to university business. If you were using your personal device to conduct university business (such as responding to emails, texting a colleague about a work-related issue or leaving or receiving voice messages on work related subjects, or accessing UW System Administration digital assets) those communications which relate to university business could be subject to the Wisconsin Public Records Law or could be the subject of a university-related subpoena. The contents of your personal communications that do NOT involve university business would not be subject to the Wisconsin Public Records law or to a university-related subpoena for university business records.

To the top

What data does Duo mobile collect from my smartphone?

Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.

To the top

How do I enroll in Duo MFA?

Our dedicated MFA Duo Activation team housed out of the UWSS IT HelpDesk will perform the initial rollout of multi-factor authentication using Duo. A representative of the MFA Team will perform each MFA Duo enrollment individually. The MFA Activation Team will be contacting all UWSA and UWSS employees by office to schedule convenient times to enroll and train each user on how to incorporate MFA successfully.

If you need to schedule an MFA Duo activation, please contact the UW-Shared Services IT HelpDesk.

To the top

Who is required to enroll in Duo MFA?

All UW-Shared Services and UW System Administration Office 365 users are required to enroll in the Duo multi-factor authentication. The need for moving the entire organizations to Duo MFA is being driven by the Board of Regents and UWSA leadership.

To the top

What if I don't have a smartphone or don't want to use it for MFA?

If you don’t own a smartphone, or choose not to use it, a fob is available. The fob will generate a six-digit passcode which you enter during the Office 365 login process. During the implementation time for the multi-factor authentication project, an initial ill be provided.

What is a FOB?

A fob is a small hardware device carried by a user to authorize access to a network service. It generates a unique six-digit number (also called a passcode) that identifies the user and allows them to access UW-Shared Services and UW System Administration digital assets.

To the top

How do I use my FOB?

You generate a six-digit passcode by pushing the green button on your fob. You enter the six-digit passcode in the Duo Device Management portal to verify your identity to access Office 365 services.

To the top

How do I get a FOB?

To get a Duo fob, please create a ticket with the subject line "MFA fob", via webform, or contact the UWSS IT HelpDesk.

To the top

Who pays for the FOBs?

If you choose to use a fob over the easier-to-use MFA Duo smartphone app, your initial fob will be provided to all UW System Administration and UW-Shared Services employees free of charge.

There will be a $20 charge, to your organization, for every additional fob provided over your tenure with UW-Shared Services and UW System Administration. This will include replacements for lost fobs or if you choose to have a second fob on your account.

For fobs that become defective, please contact the UWSS IT HelpDesk  and a replacement fob will be delivered free of charge.

To the top

What is a passcode and how is it used?

A passcode is a six-digit code that you generate by pushing the down arrow (may vary based on your device or software version) on your smartphone or by pushing the green button on your fob. You enter the passcode in the Duo Device Management portal to verify your identity to access network services. You can generate a passcode on your smartphone, even if you do not have cellular or wireless (Wi-Fi) service

To the top

What if the passcode generated by my FOB doesn't work?

When holding the fob, be sure the green button is on the left to make sure you’re not entering numbers that are upside down.

To the top

How many times can I try to authenticate before my account gets locked?

After 100 times successive failures to authenticate, your account will be locked for 30 minutes.

To the top

What is the best way to use Duo MFA when travelling?

You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service.

Simply open the app and tap the down arrow or key icon located at the upper left-hand corner of your smartphone. This will generate a six-digit temporary passcode.
Enter the six-digit code provided on your smartphone in the Duo Device Management portal to complete the authentication process.

To the top

What if I don't have cellular or wireless (Wi-Fi) service on my smartphone?

If you’re in a location where you can’t get cellular or wireless (Wi-Fi) service, you can request a single-use passcode directly from the Duo Mobile app.

Simply open the app and tap the down arrow or key icon located at the upper left-hand corner of your smartphone. This will generate a six-digit temporary passcode.
Enter the six-digit code provided on your smartphone in the Duo Device Management portal to complete the authentication process.

To the top

Do I need to authentication with Duo every time I log in?

If the “Remember me for 14 hours” is selected when initially authenticating via Duo, you will not need to re-authenticate with Duo again for 14 hours (if you sign in using the same browser in which you authenticated). If you choose to use several browsers during the day, you will need to authenticate in each of those browsers and make the choice of the selecting the “Remember me for 14 hours” option. It is strongly suggested that you check the “Remember me for 14 hours” setting to allow you to work throughout your day seamlessly.

To the top

The "Remember Me for 14 Hours" option is grayed out. How can I activate it?

If you set the MFA-Duo authentication method default to automatically send a push, you will need to disable this setting before activating the “Remember me for 14 hours” option. Here’s how:

Click cancel on your push request.
Check the “Remember me for 14 hours” box.
Authenticate using one of the following options:
Generate a passcode by clicking the down arrow (located in the upper right-hand corner on the Duo app on your smartphone) or by pressing the green button on your fob.  Enter the six-digit passcode in the Multi-Factor Authentication portal. OR
Click Send Me a Push in the Multi-Factor Authentication portal. Go to the Duo app on your smartphone or tablet and Accept the push.

To the top

How does Duo-MFA impact logging into my workstation?

Your workstation MFA will request re-authentication for logging into your Office365 every Monday morning for UWSA employees and 7 days after your last authentication for UWSS employees. Your computer will remember you are authenticated for the remainder of the week for UWSA employees and the next 7 days for UWSS employees.

UWSA employees: On Mondays (or the first day you log on for the week after Monday), you will be prompted to log in for all Office 365 applications as they are opened. These applications include email, calendar, Teams, etc. that will each be logged using MFA Duo at the point until the next Monday morning re-authentication request is reset inside Duo.

UWSS employees: 7 days after the last time you authenticated, you will be prompted to log in for Office 365 applications as they are opened. These applications include email, calendar, Teams, etc. that will each be logged using MFA Duo at the point until the next 7 day re-authentication request is reset inside Duo. If you authenticated on different days for different desktop apps, the day you re-authenticate may vary based on the app used.

This 7 day workstation Office 365 MFA setting provides additional security to your trusted devices such as smart phones, laptops, tablets and desktop PCs while not forcing users to log into each O365 application multiple times each day.

To the top

Is the Duo Mobile app free?

Yes, the Duo Mobile app is free.

To the top

What mobile devices are supported?

Smartphones and tablets running Apple iOS (iPhone) 10 or greater and Android 6.0 and greater.

To the top

Can I enroll more than one device?

You may enroll as many devices as you want, as long as they meet the minimum requirements (iOS 10+ and Android 6.0+). If you enroll more than one device, you will have to choose a “default” device to use.

To the top

If I choose the option to automatically send a push notification, how can I change this setting?

When logging in, you will automatically get the push notification. Click ‘Cancel’ where it says, “Pushed a login request to your device…” This will allow you to select the options listed on the left side. Click on ‘My Settings & Devices’. NOTE: each time you select a menu option, you will have to authenticate with Duo. In ‘My Settings & Devices’ window, under the option ‘When I log in:’ choose the setting you desire.

To the top

What should I do if I get a Duo push notification I didn't send?

You should deny the request and report it to the IT HelpDesk.

To the top

What should I do if I lose my smartphone or FOB?

Please contact the HelpDesk  as soon as you can so they can deactivate your phone app or fob.

To the top

None of my FOB passcodes are working. What should I do?

Your fob may have fallen out of sync. Please contact the HelpDesk for assistance with re-syncing your fob.



Additional Resources

Related KBs:

Related Links:


Get Help

  • Click HERE to contact UW Shared Services - Service Operations Department or HERE for the UWSS IT HelpDesk if you have any issues with these instructions.