Second factor selection criteria

In this article:

2FA for Generic accounts

 

Factors to consider

There are a number of criteria to consider in selecting a second-factor, including:

  • Assurance levels

  • Ease of use

  • Cost

  • Sensitivity of systems and data

Second-factor assurance levels

Any 2FA protection provides a higher assurance level than a static password alone affords. Within the realm of 2FA options, some options provide a higher level of security than others. The threshold for the security level appropriate for a given application that is protected with 2FA will vary with the risk posed to that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options (e.g., SMS and phone call prompts) will not be allowed.

Duo mobile app | Preferred second-factor option

The preferred option is the Duo Mobile app.

  • The app is available for iOS and Android devices, with or without cellular access

  • While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available

  • The app is simple to register and use. It functions, in various modes, with or without cellular data or Wi-Fi connection

  • Any Duo-protected application can be authenticated with the app; it is not necessary to disclose the phone number for a smartphone to use the app

System requirements

Duo Mobile System Requirements

  • Android: the current version of Duo Mobile supports Android 8.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android

  • iPhone: The current version of Duo Mobile supports iOS 13.0 and greater. More information from DUO: Duo Mobile on iOS

Generate Duo mobile app passcodes, even offline!

If you need to access a 2FA-protected service when your mobile device is not connected to Wi-Fi or cellular data, you can generate a single-use passcode. Simply open the Duo Mobile app and select your account. This will display a 6-digit passcode you can type into a 2FA prompt. 

iOS device

 

Android device

 

Protect more than your University accounts

The Duo Mobile app can be used to protect more than just your University of Waterloo accounts. Most sites that suggest authenticator apps from Google, Microsoft, and others, can be set up in Duo Mobile instead.

Add a backup 2FA device

You can set up the Duo Mobile app on a second device as an alternative to your primary device. Log in to the device management portal and add a new device. It can be a secondary phone, iPad, Android, tablet or even a Chromebook.


Alternative options

Hardware tokens

For steps on enrolling in Duo 2FA using one of the below alternate second-factor methods, please see the Device management instructions page.

Tokens for students/alumni/retirees

  • A U2F token is a good option for Duo authentication for web applications

  • A U2F token will not work with the University's virtual private network (VPN)

  • The U2F standard is currently well-supported by Google Chrome

  • U2F tokens are relatively inexpensive, with prices starting below $30

  • Most YubiKey are compatible with Duo, see this page for details

  • It is easy for a user to add a U2F token to your Duo account in the self-service portal

Tokens for employees

SMS and phone calls

Duo two-factor authentication (2FA) prompts delivered via SMS or phone call are no longer considered sufficiently secure for employee use. Employees should select the Duo Mobile app on their smartphone or request a YubiKey. If you already have the Duo Mobile app set up, follow the instructions below to remove your phone number and prevent SMS and phone call 2FA options. 

Removing your mobile phone number from Duo 

To remove your mobile device phone number from Duo: 

  1. Log in to the 2FA Device Management Portal at: https://2fa.uwaterloo.ca/duo/dmp  

  2. Delete your mobile device from the Device Management Portal. 

  3. Remove your University of Waterloo account from the Duo Mobile app. 

  4. In the Device Management Portal, “+ Add another device” then select the “Tablet” option and follow the directions to set up the Duo Mobile app again on your mobile device. 


Second-factor criteria comparison 

Second-factor option

Self-serve enrolment?

Phone number required?

Cellular network connection required?

Wi-Fi connection required?

For employees

For students, alumni, and retirees

Second-factor option

Self-serve enrolment?

Phone number required?

Cellular network connection required?

Wi-Fi connection required?

For employees

For students, alumni, and retirees

Duo Mobile app

Yes

No

No

No (only for enrolment)

Yes

Yes

U2F token

Yes

No

No

Yes

Yes

Yes

OTP token

No 

No

No

No

Yes

Yes

Combined U2F/OTP token

Yes (U2F)

No

No

No

Yes

Yes

SMS

Yes

Yes

Yes

No

No

Yes

Phone call

Yes

Yes

Yes (or landline)

No

No

Yes

Assurance levels comparison

Second-factor option

Assurance level

Second-factor option

Assurance level

Duo Mobile App

High

U2F token

High

OTP token

Moderate - high

SMS (for students, alumni, and retirees only)

Low

Phone call (for students, alumni, and retirees only)

Low

 

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know