The UW regularly updates its two-factor authentication (2FA) features to provide secure sign-ins. Major updates are highlighted on this page. This page design to keep you informed about the trusted UW 2FA experience and explain any changes. If you have questions about the security your 2FA experience or need help with UW 2FA, please contact help@uw.edu.
New Changes
Duo Update Required Before Feb. 2, 2026
On February 2nd, 2026, Duo will be enforcing use of a new certificate bundle. Applications including Duo Mobile that are not running supported versions will find that Duo authentication may break or degrade in usability.
You must be running version Duo Mobile 4.85.0 or greater on all registered devices by Feb. 2, 2026. You can check what version of Duo Mobile you are running by:
Opening the Duo Mobile app.
Tapping the "hamburger" menu icon in the top-left corner.
Finding the version number displayed at the bottom of the menu pane starting with "Version"
If the number listed is a smaller number than 4.85 (for instance 3.7.0 or 4.76.1) then you must update your Duo Mobile application from the application store on your device. If the number is equal to or greater than 4.85 (for instance 4.85.1 or 4.100.0) then no action is required for this device. If you use multiple devices, please check each device.
Duo has updated all impacted applications and the minimum supported version of that application in their support article. As Duo refers to the application by their technical name and not by the name you may know it by here at the UW, you may not immediately connect which application you run to the list Duo provides.
UWIT Identity and Access Management is reaching out to each application team for which we know there will be impacts, and providing the UW application name and the Duo application name referenced on their above support documentation.
If you have questions or would like the UWIT Identity and Access Management team to provide you with the Duo application name for your Duo integration, please reach out to help@uw.edu with the subject "Duo Certificate".
Duo Methods Update Feb. 24, 2026
More will be announced about this change shortly. Please refer to this page for any updates to the Duo MFA experience.
Previous changes
The UW has updated the process for registering your 2FA devices and added support for new authentication methods. No action is required from you, but here's what's new:
New Device Registration Experience
You can add, remove, or review your 2FA devices at https://identity.uw.edu/2fa. While the location remains the same, the page has a new look. You will now need to click a button to open the updated page.
Pictured above, the new device registration experiencePictured above, the new "verify your identity" stepPictured above, the new device registration pagePictured above, the old device registration experience
New Look for Registering Devices
New Look for Registering Devices
Selecting "Add a device" allows you to add "Duo Mobile" Enter your phone number Confirm your phone number Demonstrate you control your phone number Make sure you have Duo Mobile downloaded Scan the QR code with your phone via Duo Mobile If you don't scan the QR code, you can instead email yourself the activation link Clicking the email activation link allows you to activate directly
Selecting "Add a device" allows you to add "Duo Mobile" Make sure you have Duo Mobile downloaded Scan the QR code with your phone via Duo Mobile If you don't scan the QR code, you can instead email yourself the activation link Clicking the email activation link allows you to activate directly
Selecting "Add a device" allows you to add a security key Click to continue adding the security key Follow the prompts to add a security key
Platform authenticators are a new way to do authentication that utilize the biometric passkeys on your device. Platform authenticators are only available as a method of authentication for the device they are set up on (so if you set up your phone, you can't select the phone's platform authenticator when on your computer). The prompts to set up your platform authenticator will be specific to your device, but the example screenshots are included below for examples. Selecting "Add a device" allows you to add a platform authenticator On windows devices, you can utilize the "Windows Hello" platform authenticator You can follow the prompts from your browser to finish setting up the platform authenticator On an apple device, you can set up FaceID/TouchID You will need to save the keychain in the iCloud keychain. If you don't have your secrets managed by the iCloud keychain, you may need to change your settings. Once you are doing setting up, you are good to go
Selecting "Add a device" allows you to add a phone Enter your phone number, and if it is a landline select the checkbox. Confirm it is your phone number Finalize adding the phone If you selected a landline on the first step and it has an extension, it can be added here. Otherwise, skip this step. You will continue the steps above.
New authentication methods enabled
Platform Authenticators
Platform authenticators are a new way to do authentication that utilize the biometric passkeys on your device. Platform authenticators are only available as a method of authentication for the device they are set up on (so if you set up your phone, you can't select the phone's platform authenticator when on your computer). The prompts to set up your platform authenticator will be specific to your device, and not all devices support Platform Authentication. Duo's supported platforms are listed on their platform authenticator guide. How to set up platform authenticators can be found in the section above under "NEW: Setting up a platform authenticator" or on set up a platform authenticator.
Verified Push
Verified push is a more secure form of push based authentication, that requires you to type in the numbers shown on the screen into Duo Mobile. This form of "push notification" is considered more secure to push fatigue and other forms of attack. Verified push is not currently in use for integrations at the UW, but may start to appear in more secure applications. Application owners can read more about verified push on the altered 2FA experience page.
Previous Changes
Duo has updated the way 2FA looks during your sign-in experience. Documented below is the new and previous Duo behavior for reference.
Understanding new and previous Duo behavior
With the new Duo experience, how you normally start your sign-in process won't change. In this example, you would sign in to the UW IdP using a UW NetID and password when signing into a site such as my.uw.edu. The sign in step looks the same. UW IdP sign in page
After providing your first factor (UW NetID and password), you are prompted to provide your second factor, which is your verification via Duo. In the new Duo authentication, you will be automatically prompted with your last-used method. How you approve your Duo authentication method is not changing. However, with your first sign-in experience Duo may choose a method you do not typically use. New Duo prompt experience Many people at the UW prefer the Duo "Push" method for Duo authentication by default, while others choose passcodes or other methods. Note that if the "wrong" method is presented by default, you can choose "Other options" to select from a list of Duo methods (the available options will depend on what you have added at https://identity.uw.edu/2fa/ ). Any method you select when you're first presented with the new Duo prompt will provide you the typical authentication experience. New Duo method selection In the previous Duo prompt, you were presented with a different approach to choosing your authentication option. In this previous prompt, to see other available authentication options, you first had to click "cancel". Old Duo prompt experience
With the new Duo prompt, there is also a change in the URL that Duo presents in your browser. You will see duosecurity.com in the address. New Duo URL Note that "duosecurity" in the URL will be correct; you will no longer see "idp.u.washington.edu" in the web address when being asked for Duo. Old Duo URL Other legitimate UW applications and websites may display a different URL during sign-in, where you see something besides the two web addresses shown above. If the web address looks unfamiliar or suspicious, you should stop signing in, and not do any further authentication. You can instead take a screenshot and contact help@uw.edu, and provide the screenshot to have it checked as legitimate or not.
With the new Duo prompt experience, there is also a change to how to select "remember me" for future sign-ins. The actual handy behavior of "remember me" is not changing; you can read more about this at https://it.uw.edu/tools-services-support/access-authentication/2fa/remember-me/. In the new Duo experience, you will be asked "Is this your device?" If you select "Yes, this is my device", Duo will remember your device for the next 30 days just as "remember me" would do. If you select "No, other people use this device," then Duo will prompt you for 2FA the next time you log in with that browser. New Duo "Remember Me" The language in the new process similarly mirrors the behavior of the previous "Remember me on this browser" check box. Unchecked, you would be prompted for Duo on your next sign-in with that browser, while checking it gives you a 30-day period where this browser would no longer require 2FA upon sign-in. While the look and language have changed, the familiar behavior of "Remember me" stays the same. Old Duo "Remember Me"
Contrasting New and Old Duo Authentication Methods
Previous changes to 2FA also updated the look while authenticating. Each method's changes are captured below.
Contrasting New and Old Duo Authentication Methods
