Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Effective November 17, 2020, many central online services at the University of Waterloo will require two-factor authentication for access. This will impact retirees as the services affected include Workday, myPensionInfo, and Office 365 services, including email. You are encouraged to enrol early to familiarize yourself with this service.

What is two-factor authentication?

Two-factor authentication (2FA), also known as multi-factor authentication, is the process of authenticating to an online service using something you know (i.e. a password) and something you physically have. Traditionally, the second authentication factor would be a physical fob or token, with the most popular form having a six-digit display.

Why is Waterloo doing this?

Password-based attacks account for most of the cyber-attacks against the University. The COVID-19 pandemic has resulted in a dramatic increase in phishing attacks against UW, and because people frequently re-use passwords, breaches at other sites can still impact the University because of a related attack called “credential stuffing”. In short, the password alone is obsolete. Stronger authentication is required for services on the public Internet. See:

2FA at Waterloo

The use of 2FA at Waterloo actually dates back to 1996, when Data Processing (DP) implemented the SecurID system to protect the finance system. The Department of Computing Services (DCS) and the Math Faculty Computing Facility (MFCF) also made use of the SecurID system to secure privileged access to the UNIX systems they managed. IST continued using 2FA until 2004 when the main finance system was upgraded; the Faculty of Mathematics has continued using various forms of 2FA since then.

In 2016, IST began piloting Duo Security’s 2FA solution and several years later, after an RFP, Duo Security was chosen as the University’s 2FA provider. Duo is a cloud service and enjoys wide adoption by colleges and universities in the United States. Duo 2FA was made available on many UW systems, on a voluntary basis, in 2019. The Duo 2FA service supports a variety of options as the second-factor authenticator including smartphones, SMS, voice callback, tokens/fobs, and YubiKeys. Some of the authenticators are limited in what services they support, and the management overhead also varies.

What’s the impact on retirees? What do retirees need to do?

Effective November 3, 2020, access to Workday, myPensionInfo, and other UW services that retirees may use, will require two-factor authentication for access. Retirees will need to enrol in 2FA before being able to access these services.

IST strongly recommends that retirees consider one of two authenticator options for 2FA:

Duo Push–This requires you to download a small app called ‘Duo Mobile’ to yourAndroid/iPhone smartphone, or tablet, with an Internet connection.

Call Me–This requires a telephone, landline or cell.
 

In both cases, when accessing UW services after November 3, 2020, you need to have your device or phone nearby.

Using the Duo Push option

Download the Duo Mobile App

From the iPhone App store or Play Store, install the ‘Duo Mobile’ app by Duo Security.

Enrol the device

  1. Visit https://2fa.uwaterloo.ca/duo/enrol

  2. Authenticate with your 8-character WatIAM username and password
     

  3. Select ‘Mobile phone’ or ‘Tablet’


  4. Follow the instructions for enroling your device

Authenticating

When accessing a 2FA protected service (e.g. Workday), do the following:

  1. Authenticate to the service (e.g. Workday) with your 8-character username and password
     

  2. At the Duo prompt, click ‘Send Me a Push’.

    Click Remember me for 30 days to reduce the number of authentication prompts you receive from an application each month.




  3. On your smartphone select ‘Accept’ when prompted


Using the Call Me option

Enrol using your telephone number

To setup 2FA on your account, do the following:

  1. Visit https://2fa.uwaterloo.ca/duo/enrol
  2. Authenticate with your 8-character WatIAM username and password
  3. Select ‘Landline’
  4. Follow the instructions for enroling your landline

Authenticating

When accessing a 2FA protected service (e.g. Workday), do the following:

  1. Authenticate to the service (e.g. Workday) with your 8-character username and password. 
     
  2. At the Duo prompt, click ‘Call Me’.


  3. Answer your ringing telephone and listen to the voice prompt.

Need Help?

Contact the IST Service Desk at helpdesk@uwaterloo.ca or 519-888-4567 ext. 44357.

  • No labels