Two-factor authentication (2FA) and the VPN
- Carol Lu (Deactivated)
- Palak Chauhan
- Natasha Jennings
Use checkvpn.uwaterloo.ca to see your computer's VPN connection status.
In the Second Password field, enter one of the following (i.e. push, 6 digit code, bypass code, SMS, phone) then click OK.
For Duo Mobile push (app):
Open your Duo app, select University of Waterloo, enter the code in the second password field [Recommended option], or
Enter ‘push' or 'push1’ to send the prompt to your primary device, or
Enter ‘push2’ to receive the prompt on a secondary device, ‘push3’ to receive the prompt on a tertiary device, etc.
For Duo hardware token: enter your 6-digit code
For Duo Bypass code: enter your bypass code
For SMS codes: enter ‘sms’; you will get a text message with 10 codes. Re-enter your password, and type the first code in the second password field.
For Yubikey: enter the code generated by touching the Yubikey
For Phone Call: enter 'phone'
Enter ‘phone2’ to receive the prompt on a secondary device, ‘phone3’ to receive the prompt on a tertiary device, etc.
If you are not receiving Duo phone calls, you may have a setting that is blocking the phone calls. Some possible solutions include adding the Duo phone number, (306) 900-4884, to your device whitelist, or if the service is blocking unknown callers, add the Duo phone number as a contact on the device.
iPhone: 'Silence Unknown Callers'
Telus/Koodo: 'Call Control'
Android: 'Block Unknown Callers'
Call Control or Call Blocker app
Any anti-spam service
- 1 Secondary-factor selection criteria to consider
- 2 Second-factor assurance levels
- 3 Duo mobile app | Preferred second-factor option
- 4 System requirements
- 5 Generate Duo mobile app passcodes, even offline!
- 6 Alternative options
- 7 SMS and phone calls
- 8 Second-factor criteria comparison
- 9 Assurance levels comparison
2FA for Generic accounts
If the generic account is for a small group, a Yubikey (or another 2FA device) could be added from the owner’s/owners' real account to the generic account.
If the generic account is a shared account shared by a number of users, a Yubikey can be purchased for $70.
For more information or to purchase a Yubikey, please use the request form https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660
Secondary-factor selection criteria to consider
There are a number of criteria to consider in selecting a second-factor, including:
Assurance levels
Ease of use
Cost
Sensitivity of systems and data
Second-factor assurance levels
Any 2FA protection provides a higher assurance level than a static password alone affords. Within the realm of 2FA options, some options provide a higher level of security than others. The threshold for the security level appropriate for a given application that is protected with 2FA will vary with the risk posed to that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options (e.g., SMS and phone call prompts) will not be allowed.
Duo mobile app | Preferred second-factor option
The preferred option is the Duo Mobile app.
The app is available for iOS and Android devices, with or without cellular access
While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available
The app is simple to register and use. It functions, in various modes, with or without cellular data or Wi-Fi connection
Any Duo-protected application can be authenticated with the app; it is not necessary to disclose the phone number for a smartphone to use the app
System requirements
Duo Mobile System Requirements
Android: the current version of Duo Mobile supports Android 8.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android
iPhone: The current version of Duo Mobile supports iOS 13.0 and greater. More information from DUO: Duo Mobile on iOS
Generate Duo mobile app passcodes, even offline!
If you need to access a 2FA-protected service when your mobile device is not connected to Wi-Fi or cellular data, you can generate a single-use passcode. Simply open the Duo Mobile app and select your account. This will display a 6-digit passcode you can type into a 2FA prompt.
Protect more than your University accounts
The Duo Mobile app can be used to protect more than just your University of Waterloo accounts. Most sites that suggest authenticator apps from Google, Microsoft, and others, can be set up in Duo Mobile instead.
Add a backup 2FA device
You can set up the Duo Mobile app on a second device as an alternative to your primary device. Log in to the device management portal and add a new device. It can be a secondary phone, iPad, Android, tablet or even a Chromebook.
Alternative options
Hardware tokens
Tokens for non-employees (students/alumni/retirees, etc.)
A U2F token is a good option for Duo authentication for web applications
A U2F token will not work with the University's virtual private network (VPN)
The U2F standard is currently well-supported by Google Chrome
U2F tokens are relatively inexpensive, with prices starting below $30
Most YubiKey are compatible with Duo, see this page for details
It is easy for a user to add a U2F token to your Duo account in the self-service portal
Tokens for employees
Tokens must be added to a Duo account by an administrator
Employees who don't have a mobile phone or tablet or would prefer an alternative option can request a token using the 2FA token request form
Report a lost or stolen token or transfer a token to another employee
SMS and phone calls
Removing your mobile phone number from Duo
To remove your mobile device phone number from Duo:
Log in to the 2FA Device Management Portal at: https://2fa.uwaterloo.ca/duo/dmp
Delete your mobile device from the Device Management Portal.
Remove your University of Waterloo account from the Duo Mobile app.
In the Device Management Portal, “+ Add another device” then select the “Tablet” option and follow the directions to set up the Duo Mobile app again on your mobile device.
Second-factor criteria comparison
Second-factor option | Self-serve enrolment? | Phone number required? | Cellular network connection required? | Wi-Fi connection required? | For employees | For students, alumni, and retirees |
|---|---|---|---|---|---|---|
Duo Mobile app | Yes | No | No | No (only for enrolment) | Yes | Yes |
U2F token | Yes | No | No | Yes | Yes | Yes |
OTP token | No | No | No | No | Yes | Yes |
Combined U2F/OTP token | Yes (U2F) | No | No | No | Yes | Yes |
SMS | Yes | Yes | Yes | No | No | Yes |
Phone call | Yes | Yes | Yes (or landline) | No | No | Yes |
Assurance levels comparison
Second-factor option | Assurance level |
|---|---|
Duo Mobile App | High |
U2F token | High |
OTP token | Moderate - high |
SMS (for students, alumni, and retirees only) | Low |
Phone call (for students, alumni, and retirees only) | Low |
Related articles