Versions Compared

Old Version 5

changes.mady.by.user Farhia Hussein

Saved on

compared with

New Version Current

changes.mady.by.user Palak Chauhan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Info

Effective November 17, 2020, many central online services at the University of Waterloo will require two-factor authentication for access. This will impact retirees as the services affected include Workday, myPensionInfo, and Office 365 services, including email. You are encouraged to enrol early to familiarize yourself with this service.

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you could be locked out of your account, or you might not even know someone is accessing it. 

Two-factor authentication (2FA) adds a second layer of security, keeping your account secure even if your password is compromised. With 2FA, you will be alerted right away if someone is trying to log in as you. 

This article describes what Two-factor Authentication (2FA) is, why the University of Waterloo uses it and how to get started to enrol in 2FA. For complete information about 2FA at UWaterloo, please review IST’s two-factor webpage: https://uwaterloo.ca/two-factor-authentication/.

This article includes:

Table of Contents
minLevel1
maxLevel2

What is two-factor authentication?

Two-factor authentication (2FA), also known as multi-factor authentication, is the process of authenticating to an online service using something you know as the first factor (i.e. a password) and something you physically have as the second factor. Traditionally, the second authentication factor would be a physical fob or token, with the most popular form having a six-digit display.

Note

Many central online services at the University of Waterloo require two-factor authentication for access. You will need to enrol in 2FA before being able to access these services.
Learn more at the university’s 2fa information page: uwaterloo.ca/2fa.

Why is Waterloo doing this?

Password-based attacks account for most of the cyber-attacks against the University. The COVID-19 pandemic has resulted in a dramatic increase in phishing attacks against UW, and because people frequently re-use passwords, breaches at other sites can still impact the University because of a related attack called “credential stuffing”. In short, the password alone is obsolete. Stronger authentication is required for services on the public Internet. See:

2FA at Waterloo

The use of 2FA at Waterloo actually dates back to 1996, when Data Processing (DP) implemented the SecurID system to protect the finance system. The Department of Computing Services (DCS) and the Math Faculty Computing Facility (MFCF) also made use of the SecurID system to secure privileged access to the UNIX systems they managed. IST continued using 2FA until 2004 when the main finance system was upgraded; the Faculty of Mathematics has continued using various forms of 2FA since then.

In 2016, IST began piloting Duo Security’s 2FA solution and several years later, after an RFP, Duo Security was chosen as the University’s 2FA provider. Duo is a cloud service and enjoys wide adoption by colleges and universities in the United States. Duo 2FA was made available on many UW systems, on a voluntary basis, in 2019. The Duo 2FA service supports a variety of options as the second-factor authenticator including smartphones, SMS, voice callback, tokens/fobs, and YubiKeys. Some of the authenticators are limited in what services they support, and the management overhead also varies.

What’s the impact on retirees? What do retirees need to do?

Effective November 3, 2020, access to Workday, myPensionInfo, and other UW services that retirees may use, will require two-factor authentication for access. Retirees will need to enrol in 2FA before being able to access these services.

IST strongly recommends that retirees consider one of two authenticator options for 2FA:

Duo Push–This requires you to download a small app called ‘Duo Mobile’ to yourAndroid/iPhone smartphone, or tablet, with an Internet connection.

Call Me–This requires a telephone, landline or cell.
 

In both cases, when accessing UW services after November 3, 2020, you need to have your device or phone nearby.

Using the Duo Push option

Download the Duo Mobile App

From the iPhone App store or Play Store, install the ‘Duo Mobile’ app by Duo Security.

Enrol the device

...

Authenticating

When accessing a 2FA protected service (e.g. Workday), do the following:

...

Tip

Click Remember me for 30 days to reduce the number of authentication prompts you receive from an application each month.

...

Using the Call Me option

Enrol using your telephone number

To setup 2FA on your account, do the following:

  1. Visit https://2fa.uwaterloo.ca/duo/enrol
  2. Authenticate with your 8-character WatIAM username and password
  3. Select ‘Landline’
    Image Removed
  4. Follow the instructions for enroling your landline

Authenticating

When accessing a 2FA protected service (e.g. Workday), do the following:

...

How to enroll and authenticate with 2FA

First-time Enrollment in Duo https://guide.duo.com/universal-prompt#enrollment

The preferred second-factor option is the Duo Mobile app 

  • The app is available for iOS and Android devices, with or without cellular access 

  • While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available 

  • The app is simple to register and use. It functions in various modes, with or without cellular data or Wi-Fi connection 

  • Any Duo-protected application can be authenticated with the app. It is not necessary to disclose the phone number for a smartphone to use the app 

System requirements

Duo Mobile System Requirements

  • Android: the current version of Duo Mobile supports Android 10.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android

  • iPhone: The current version of Duo Mobile supports iOS 14.0 and greater. More information from DUO: Duo Mobile on iOS

Info

  • SMS and phone call Two Factor Authentication (2FA) are being phased out for employees. Employees who don't have a mobile phone or tablet, or would prefer an alternate option, can request a token using the 2FA token request form.

  • Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.

  • If you need to remove a device or replace a phone that was lost or stolen, please refer to the article Removing a device or replacing a lost or stolen token

Optional: You may choose to purchase a token to have a backup should you not have access to your mobile phone or your device of choice.

Optional: You may add multiple Duo Mobile devices to your 2FA account. The Duo Mobile app is available for recent Android (phone, tablet) and iOS (iPhone, iPad) devices. Duo Mobile can also be installed and set up on Chromebooks. 

Download the Duo Mobile app onto your mobile device

From your app store install the “Duo Mobile” app by Duo Security

Enroll the device

Using the Duo Push option

  1. Visit  Device management

  2. Authenticate with your 8-character username @uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password

  3. Click Next on the three welcome and informational pages.

    Welcome informational page of DuoImage Added

  4. Select Duo Mobile.

     

    Image Added

  5. Enter a phone number.

    Image Added

  6. If you haven’t already, install the Duo Mobile app and click Next.

    Image Added

  7. Use the Duo Mobile app to scan the QR code and add your account to the app.

    Image Added


  8. Click Continue.

    Image Added

  9. Log out and close your browser.

Add the Duo Mobile App to a tablet or cell phone without providing a phone number

Info

The instructions below apply to iOS and Android tablets.

  1. Go to Device management .

  2. Select Add a device.

    Image Added

     

  3. Select Duo Mobile.

    Image Added

  4. Skip entering a phone number by selcting I have a tablet.

    Image Added

     

  5. If you havent already, install the Duo Mobile app and click Next.

    Image Added

     

  6. Use the Duo Mobile app to scan the QR code and add your account to the app.

    Image Added

Add a Security Key

  1. Go to Device management .

  2. Select Add a device

     

    Image Added

     

    Image Added

     

  3. Select Security Key.

     

    Image Added

  4. Insert your security key and click Continue, then follow the instructions.

Image AddedImage Added

Image Added

Authenticating

The guide below shows how to log in to a 2FA-protected service using DUO.

  1. Log in to the service with your 8-character UWaterloo username@uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password

  2. When presented with the DUO prompt, click Send Me a Push.

  3. In your browser, a verification code will display.

browser (003)-20240308-192711.pngImage Added

  1. On your smartphone, enter the verification code when prompted and select Verify or I’m not logging in as appropriate.

DuoMobile_Android (002)-20240308-192711.pngImage AddedDuoMobile_iOS (002)-20240308-192711.jpegImage Added

Additional resources for enrolling in 2FA

Second-factor options

For alternative second-factor options, please see Duo two-factor authentication (2FA) and the VPN

Device management

For information on device management, please see Duo Management Guide

Where is that push coming from?

When you receive a 2FA push notification on your phone, it will display the geographic location the access is coming from. Looking at this before approving the prompt provides an extra level of assurance that you are approving the correct login. If the location is incorrect or you are not actually logging in to a 2FA-protected service, you should deny access and report it as suspicious. See also, What do I do with an unexpected 2FA notification?

Image Added
Image Added

Filter by label (Content by label)
showLabelsfalse
max5
spacesISTKB
showSpacefalse
sortmodified
typepage
reversetrue

...

labels2fa two factor authentication retire duo
cqllabel in ( "duo" , "authentication" , "

...

2fa" , "

...

overview" , "

...

two-factor-authentication" ) and type = "page" and space = "ISTKB"

...

...

hiddentrue

...

Info

...

Need help?

Contact the IST Service Desk

...

online or 519-888-4567 ext. 44357.

Tip

Article feedback

If you’d like to share any feedback about this article, please let us know.