Effective November 2020, many central online services at the University of Waterloo will require two-factor authentication for access. This will impact retirees as the services affected include Workday, myPensionInfo, and Office 365 services, including email.
What is two-factor authentication?
Two-factor authentication (2FA), also known as multi-factor authentication, is the process of authenticating to an online service using something you know (i.e. a password) and something you physically have. Traditionally, the second authentication factor would be a physical fob or token, with the most popular form having a six-digit display.
Why is Waterloo doing this?
Password-based attacks account for most of the cyber-attacks against the University. The COVID-19 pandemic has resulted in a dramatic increase in phishing attacks against UW, and because people frequently re-use passwords, breaches at other sites can still impact the University because of a related attack called “credential stuffing”. In short, the password alone is obsolete. Stronger authentication is required for services on the public Internet. See:
The use of 2FA at Waterloo actually dates back to 1996, when Data Processing (DP) implemented the SecurID system to protect the finance system. The Department of Computing Services (DCS) and the Math Faculty Computing Facility (MFCF) also made use of the SecurID system to secure privileged access to the UNIX systems they managed. IST continued using 2FA until 2004 when the main finance system was upgraded; the Faculty of Mathematics has continued using various forms of 2FA since then.
In 2016, IST began piloting Duo Security’s 2FA solution and several years later, after an RFP, Duo Security was chosen as the University’s 2FA provider. Duo is a cloud service and enjoys wide adoption by colleges and universities in the United States. Duo 2FA was made available on many UW systems, on a voluntary basis, in 2019. The Duo 2FA service supports a variety of options as the second-factor authenticator including smartphones, SMS, voice callback, tokens/fobs, and YubiKeys. Some of the authenticators are limited in what services they support, and the management overhead also varies.
What’s the impact on retirees? What do retirees need to do?
Effective November 2020, access to Workday, myPensionInfo, and other UW services that retirees may use, will require two-factor authentication for access. Retirees will need to enroll in 2FA before being able to access these services.
IST strongly recommends that retirees consider one of two authenticator options for 2FA:
Duo Push – This requires you to download a small app called ‘Duo Mobile’ to your Android/iPhone smartphone, or tablet, with an Internet connection.
Call Me – This requires a telephone, landline or cell.
In both cases, when accessing UW services after November 2020, you need to have your device or phone nearby.