IT system owners and their teams can add two-factor authentication (2FA) to their systems by integrating with UW-IT infrastructure for UW NetIDs and authentication. This page provides guidance and links to more details based on the kind of system and available options for integration.
Overview
Ensure your users are eligible for 2FA
Customers planning to add 2FA should be aware of current 2FA eligibility and confirm their users are eligible to use 2FA. Current eligibility is included in the 2FA FAQ. If you have questions about eligibility related to your planned use of 2FA, contact UW-IT.
Enroll users in 2FA through Identity.UW
Although you may find that some integrations with Duo support a way for you to enroll users in Duo, this feature is disabled by policy. All users must enroll in Duo via Identity.UW (identity.uw.edu) using the 2FA device options described on the main 2FA page for users.
Add 2FA to your web applications
UW-IT’s infrastructure for web single sign-on (SSO) supports two primary options for adding 2FA to web applications with SSO integrations.
First, consider if your users already use 2FA
UW-IT is expanding the use of 2FA on the web to make it the default when signing in with UW NetID on the web. When the phased initiative is complete, 2FA will be required for users signing in with a web browser to access services that integrate with UW-IT’s SSO infrastructure. Therefore, your users might already be using 2FA. If they aren’t, organizations can protect their users, systems, and data by opting in to use 2FA as an organization, rather than adding 2FA to their web applications one at a time.
For integrations with the UW Identity Provider
You can add 2FA to web applications integrated with the UW Identity Provider (IdP) by configuring auto 2FA or conditional 2FA, which enforces 2FA for all or some of your users. Alternatively, you can add 2FA by configuring your systems to send a standard authnContextClassRef attribute in each SAML authentication request. To learn more, customers using Shibboleth Service Provider software can refer to configuring Shibboleth service provider to use 2FA. Customers using other SAML 2.0 software can configure it to use the REFEDS MFA Profile (or other standard authnContextClassRef attribute values supported by the UW IdP).
For integrations with Azure Active Directory
You can add 2FA to web applications integrated with Entra ID using Entra ID 2FA on a per-application basis. To do so, UW-IT configures “conditional access” policies on Entra ID, allowing customers who rely on Entra ID to add 2FA policies for their applications.
Add 2FA to other departmental systems
You can integrate 2FA with other systems and applications, including Linux systems and other non-web systems. To learn more and request an integration, refer to Departmental Duo Integrations.
Need a consultation?
Requests for consultations on approaches to add 2FA to your IT systems can be sent to help@uw.edu with a subject line of “Duo integration consult.” This creates a UW Connect request for the Identity and Access Management (IAM) team. An IAM Specialist will help clarify your needs and assess if Duo is a good fit.