2FA Frequently asked questions

You must enrol in the University's two-factor authentication (2FA) service before gaining access to those 2FA supported systems. Visit https://uwaterloo.login.duosecurity.com/devices to enrol your device, then attempt to log in to the system again.

Follow the steps outlined in the Duo 2FA and the VPN knowledge base support article.

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you could be locked out of your account, or you might not even know someone is accessing it. With 2FA, you'll be alerted right away (on your phone) if someone is trying to log in as you.

Yes, you can configure several devices on your Duo account via the device management portal. As well, multiple devices of the same type can be added.

Android: the current version of Duo Mobile supports Android 10.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. 

iPhone: The current version of Duo Mobile supports iOS 14.0 and greater. Support for older Duo Mobile versions on iOS 10.0 ended December 1, 2020..

If you get a new phone, or if you’ve re-installed the Duo Mobile app, you'll need to re-activate Duo Mobile. You may enrol your new device yourself using the device management portal.

You will need to log in using a 2FA device already configured to your account. If the device you are replacing is your only 2FA device and you no longer have access to it, submit a request via the IST Jira Help Portal for help adding your new device. 

Employees who don't have a mobile phone or tablet, or would prefer an alternate option, can request a token using the 2FA token request form.

Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.

IST will cover the cost of the employee's first Duo hardware token.

• Lost or stolen tokens can be replaced by the employee's department at a cost of approximately $40 via the IST Webstore. Employees should report a lost or stolen token via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/3/create/694  or by visiting an IST Service Desk.

• Duo hardware tokens can be reprogrammed for use by a new/different employee. Please submit a request via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660 or by visiting an IST Service Desk.

• Defective tokens can be replaced by IST. Return the defective token to avoid incurring a replacement charge. Please submit a request via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660 or by visiting an IST Service Desk.

• Tokens can be retired when an employee leaves the University. Please return the token to an IST Service Desk or your department administrator. 

Employees who don't have a mobile phone or tablet can request a token using the 2FA token request form 

Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.

U2F (Universal 2^nd Factor) is an open standard to allow USB and near field communication (NFC) 2FA devices to interface with web browsers. It is currently only well supported in Chrome. Development is underway by Duo and major browsers to accommodate U2F integration via WebAuthn. U2F authenticators can readily be purchased from electronics retailers, such as Amazon

WHAT HAPPENS IF I LOSE MY PHONE OR MY U2F AUTHENTICATOR?

Devices can be added or removed in the device management portal. 

If you are unable to log in to the device management portal at all, contact the IST Service Desk to have the lost device disabled, and to have an alternate added. 

You may choose to purchase a token to have as back up should you not have access to your phone.

Some browsers do not support U2F authentication. Please use a browser that supports U2F if you wish to use this authentication method.

Duo 2FA does not provide support for software OTP applications like Google Authenticator, Authy and FreeOTP. While local support for these apps is being developed at Waterloo, the Duo Mobile app does provide an improved user experience. Duo Mobile push functionality will simply prompt you to acknowledge your login on your mobile device, without the need to type in a numeric code.

Your email can still be used on third party sites with no consequence. 2FA will only be applied to the supported services listed above.

Questions regarding the impact of 2FA on a generic account should be submitted to https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/410/create/1660.

If you are already enrolled in DUO 2FA authenticator, retiring does not impact you.
If you are not enrolled in DUO 2FA authenticator, please follow these steps: https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/262013138/Duo+device+management+instructions?src=search#Add-the-Duo-Mobile-App-to-a-tablet-or-cell-phone-without-providing-a-phone-number
Please review the Duo 2FA Overview and instructions to learn more.

Please submit a request to https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/410/create/1660 for more information.  

Please see Duo's Privacy Data Sheet, https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/cisco-duo-privacy-data-sheet.pdf.

If you receive an unexpected 2FA notification, choose the “Deny” option and indicate that the 2FA notification is suspicious. This will alert the Security Operations Centre (SOC) that a potentially malicious logi n has been attempted and SOC staff will investigate further. You should then visit the WatIAM page to change your password.

If you approved a 2FA push notification that you are now suspicious of, you can report it to the SOC, soc@uwaterloo.ca, for investigation. See also, Where is that push coming from?

iOS device - deny prompt

iOS device - report as suspicious prompt

Android device - deny prompt

Android device - report as suspicious prompt