MADISON, Wis. – The University of Wisconsin-Madison is requiring a second authentication for students, staff and faculty who are logging into their MyUW accounts.
Effective Monday, students must begin enrolling in the Duo Multi-factor Authentication. In addition to using a password to log in to one’s MyUW account, people must enter a six-digit code or accept the login attempt via an app on their phone.
UW Chief of Information Security Officer Bob Turner said the cybersecurity initiative began to increase security for people’s most at-risk data, such as human resources and financial information.
“It’s all about protecting the data,” Turner said.
In students’ MyUW accounts, they can access resources such as their WISC email, scheduling apps for academic advising, their course schedule or course map and their Canvas account. Students can also change their personal information, upload money or check the currant balance on their Wiscard and accept or decline their Free Application for Federal Student Aid. If students have a university job, they’re able to update their direct deposit, view tax statements and enter their time and absence for work.
Turner compared the multi-factor authentication to security related to a person’s bank account. He said just how access to a bank account might require answering a security question, this second authentication is another check to make sure the person logging in is the owner of the account.
“It’s actually one of the industry’s standard factors of authentication,” Turner said. “We want to make sure that only the right people are getting access to the data, so if it gets spilled, [we know] who logged in when it got spilled.”
The multi-factor authentication runs through Duo. Students must either download the Duo Mobile app on their smartphones or pick up a token from the university. Both the app and the token are free.
After people login to their MyUW accounts with their NetID and password, they must choose between Duo Push, which sends a notification to their smartphone app, or Passcode. For people to choose the passcode option, they must download 10 six-digit codes or have the token. The downloaded codes expire after three months.
University officials said downloading the passcodes might be a good idea as a backup plan, in case a person doesn’t have their phone on them at the time of a login attempt, or they don’t have their token.
For people who choose Duo Push, a notification is sent to their phone via the Duo Mobile app. They must then open the app and either accept the login attempt or decline it. Turner said this notification is also a way for people to know if someone is trying to log in to their account.
The token does not require a smartphone, and in this instance, people click the button on the token and a six-digit code appears.
Turner said the university had began planning for the authentication since 2017 and discussed it multiple times with university partners.
All UW campuses will mandate the authentication, and other Big 10 schools already have, according to Turner.
Staff and faculty had to enroll in the authentication last spring, but Monday was the first day for students. The deadline for students to enroll is Oct. 31.
Get your weather forecast from people who actually live in your community. We update with short, easy-to-use video forecasts you can watch on your phone every day. Download the iOS or Android app here.