In this article:
2FA for Generic accounts
If the generic account is for a small group, a Yubikey (or another 2FA device) could be added from the owner’s/owners' real account to the generic account.
If the generic account is a shared account shared by a number of users, a Yubikey can be purchased for $70.
For more information or to purchase a Yubikey, please use the request form https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660
Factors to consider
There are a number of criteria to consider in selecting a second-factor, including:
Assurance levels
Ease of use
Cost
Sensitivity of systems and data
Second-factor assurance levels
Any 2FA protection provides a higher assurance level than a static password alone affords. Within the realm of 2FA options, some options provide a higher level of security than others. The threshold for the security level appropriate for a given application that is protected with 2FA will vary with the risk posed to that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options (e.g., SMS and phone call prompts) will not be allowed.
Duo mobile app | Preferred second-factor option
The preferred option is the Duo Mobile app.
The app is available for iOS and Android devices, with or without cellular access
While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available
The app is simple to register and use. It functions, in various modes, with or without cellular data or Wi-Fi connection
Any Duo-protected application can be authenticated with the app; it is not necessary to disclose the phone number for a smartphone to use the app
System requirements
Duo Mobile System Requirements
Android: the current version of Duo Mobile supports Android 8.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android
iPhone: The current version of Duo Mobile supports iOS 13.0 and greater. More information from DUO: Duo Mobile on iOS
Generate Duo mobile app passcodes, even offline!
If you need to access a 2FA-protected service when your mobile device is not connected to Wi-Fi or cellular data, you can generate a single-use passcode. Simply open the Duo Mobile app and select your account. This will display a 6-digit passcode you can type into a 2FA prompt.
Protect more than your University accounts
The Duo Mobile app can be used to protect more than just your University of Waterloo accounts. Most sites that suggest authenticator apps from Google, Microsoft, and others, can be set up in Duo Mobile instead.
Add a backup 2FA device
You can set up the Duo Mobile app on a second device as an alternative to your primary device. Log in to the device management portal and add a new device. It can be a secondary phone, iPad, Android, tablet or even a Chromebook.
Alternative options
Hardware tokens
For steps on enrolling in Duo 2FA using one of the below alternate second-factor methods, please see the Device management instructions page.
Tokens for non-employees (students/alumni/retirees, etc.)
A U2F token is a good option for Duo authentication for web applications
A U2F token will not work with the University's virtual private network (VPN)
The U2F standard is currently well-supported by Google Chrome
U2F tokens are relatively inexpensive, with prices starting below $30
Most YubiKey are compatible with Duo, see this page for details
It is easy for a user to add a U2F token to your Duo account in the self-service portal
Tokens for employees
Tokens must be added to a Duo account by an administrator
Employees who don't have a mobile phone or tablet or would prefer an alternative option can request a token using the 2FA token request form
Report a lost or stolen token or transfer a token to another employee
SMS and phone calls
Duo two-factor authentication (2FA) prompts delivered via SMS or phone call are no longer considered sufficiently secure for employee use. Employees should select the Duo Mobile app on their smartphone or request a YubiKey. If you already have the Duo Mobile app set up, follow the instructions below to remove your phone number and prevent SMS and phone call 2FA options.
Removing your mobile phone number from Duo
To remove your mobile device phone number from Duo:
Log in to the 2FA Device Management Portal at: https://2fa.uwaterloo.ca/duo/dmp
Delete your mobile device from the Device Management Portal.
Remove your University of Waterloo account from the Duo Mobile app.
In the Device Management Portal, “+ Add another device” then select the “Tablet” option and follow the directions to set up the Duo Mobile app again on your mobile device.
Second-factor criteria comparison
Second-factor option | Self-serve enrolment? | Phone number required? | Cellular network connection required? | Wi-Fi connection required? | For employees | For students, alumni, and retirees |
|---|---|---|---|---|---|---|
Duo Mobile app | Yes | No | No | No (only for enrolment) | Yes | Yes |
U2F token | Yes | No | No | Yes | Yes | Yes |
OTP token | No | No | No | No | Yes | Yes |
Combined U2F/OTP token | Yes (U2F) | No | No | No | Yes | Yes |
SMS | Yes | Yes | Yes | No | No | Yes |
Phone call | Yes | Yes | Yes (or landline) | No | No | Yes |
Assurance levels comparison
Second-factor option | Assurance level |
|---|---|
Duo Mobile App | High |
U2F token | High |
OTP token | Moderate - high |
SMS (for students, alumni, and retirees only) | Low |
Phone call (for students, alumni, and retirees only) | Low |
Related articles
Need help?
Contact the IST Service Desk online or 519-888-4567 ext. 44357.