Two-factor authentication (2FA) and the VPN

Use checkvpn.uwaterloo.ca to see your computer's VPN connection status.

In the Second Password field, enter one of the following (i.e. push, 6 digit code, bypass code, SMS, phone) then click OK.

For Duo Mobile push (app): 

  • Open your Duo app, select University of Waterloo, enter the code in the second password field [Recommended option], or

  • Enter ‘push' or 'push1’ to send the prompt to your primary device, or

  • Enter ‘push2’ to receive the prompt on a secondary device, ‘push3’ to receive the prompt on a tertiary device, etc.

For Duo hardware token: enter your 6-digit code

For Duo Bypass code: enter your bypass code

For SMS codes: enter ‘sms’; you will get a text message with 10 codes. Re-enter your password, and type the first code in the second password field.

For Yubikey: enter the code generated by touching the Yubikey

For Phone Call: enter 'phone'

  • Enter ‘phone2’ to receive the prompt on a secondary device, ‘phone3’ to receive the prompt on a tertiary device, etc.

  • If you are not receiving Duo phone calls, you may have a setting that is blocking the phone calls. Some possible solutions include adding the Duo phone number, (306) 900-4884, to your device whitelist, or if the service is blocking unknown callers, add the Duo phone number as a contact on the device.

    • iPhone: 'Silence Unknown Callers'

    • Telus/Koodo: 'Call Control'

    • Android: 'Block Unknown Callers'

    • Call Control or Call Blocker app

    • Any anti-spam service

2FA for Generic accounts

 

Secondary-factor selection criteria to consider

There are a number of criteria to consider in selecting a second-factor, including:

  • Assurance levels

  • Ease of use

  • Cost

  • Sensitivity of systems and data

Second-factor assurance levels

Any 2FA protection provides a higher assurance level than a static password alone affords. Within the realm of 2FA options, some options provide a higher level of security than others. The threshold for the security level appropriate for a given application that is protected with 2FA will vary with the risk posed to that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options (e.g., SMS and phone call prompts) will not be allowed.

Duo mobile app | Preferred second-factor option

The preferred option is the Duo Mobile app.

  • The app is available for iOS and Android devices, with or without cellular access

  • While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available

  • The app is simple to register and use. It functions, in various modes, with or without cellular data or Wi-Fi connection

  • Any Duo-protected application can be authenticated with the app; it is not necessary to disclose the phone number for a smartphone to use the app

System requirements

Duo Mobile System Requirements

  • Android: the current version of Duo Mobile supports Android 8.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android

  • iPhone: The current version of Duo Mobile supports iOS 13.0 and greater. More information from DUO: Duo Mobile on iOS

Generate Duo mobile app passcodes, even offline!

If you need to access a 2FA-protected service when your mobile device is not connected to Wi-Fi or cellular data, you can generate a single-use passcode. Simply open the Duo Mobile app and select your account. This will display a 6-digit passcode you can type into a 2FA prompt. 

iOS device

 

Android device

 

Protect more than your University accounts

The Duo Mobile app can be used to protect more than just your University of Waterloo accounts. Most sites that suggest authenticator apps from Google, Microsoft, and others, can be set up in Duo Mobile instead.

Add a backup 2FA device

You can set up the Duo Mobile app on a second device as an alternative to your primary device. Log in to the device management portal and add a new device. It can be a secondary phone, iPad, Android, tablet or even a Chromebook.


Alternative options

Hardware tokens

Tokens for non-employees (students/alumni/retirees, etc.)

  • A U2F token is a good option for Duo authentication for web applications

  • A U2F token will not work with the University's virtual private network (VPN)

  • The U2F standard is currently well-supported by Google Chrome

  • U2F tokens are relatively inexpensive, with prices starting below $30

  • Most YubiKey are compatible with Duo, see this page for details

  • It is easy for a user to add a U2F token to your Duo account in the self-service portal

Tokens for employees

SMS and phone calls

Removing your mobile phone number from Duo 

To remove your mobile device phone number from Duo: 

  1. Log in to the 2FA Device Management Portal at: https://2fa.uwaterloo.ca/duo/dmp  

  2. Delete your mobile device from the Device Management Portal. 

  3. Remove your University of Waterloo account from the Duo Mobile app. 

  4. In the Device Management Portal, “+ Add another device” then select the “Tablet” option and follow the directions to set up the Duo Mobile app again on your mobile device. 


Second-factor criteria comparison 

Second-factor option

Self-serve enrolment?

Phone number required?

Cellular network connection required?

Wi-Fi connection required?

For employees

For students, alumni, and retirees

Second-factor option

Self-serve enrolment?

Phone number required?

Cellular network connection required?

Wi-Fi connection required?

For employees

For students, alumni, and retirees

Duo Mobile app

Yes

No

No

No (only for enrolment)

Yes

Yes

U2F token

Yes

No

No

Yes

Yes

Yes

OTP token

No 

No

No

No

Yes

Yes

Combined U2F/OTP token

Yes (U2F)

No

No

No

Yes

Yes

SMS

Yes

Yes

Yes

No

No

Yes

Phone call

Yes

Yes

Yes (or landline)

No

No

Yes

Assurance levels comparison

Second-factor option

Assurance level

Second-factor option

Assurance level

Duo Mobile App

High

U2F token

High

OTP token

Moderate - high

SMS (for students, alumni, and retirees only)

Low

Phone call (for students, alumni, and retirees only)

Low