Duo two-factor authentication overview and instructions

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you could be locked out of your account, or you might not even know someone is accessing it.

Two-factor authentication (2FA) adds a second layer of security, keeping your account secure even if your password is compromised. With 2FA, you will be alerted right away if someone is trying to log in as you.

This article describes what Two-factor Authentication (2FA) is, why the University of Waterloo uses it and how to get started to enrol in 2FA. For complete information about 2FA at UWaterloo, please review IST’s two-factor webpage: https://uwaterloo.ca/two-factor-authentication/.

This article includes:

What is two-factor authentication?

Two-factor authentication (2FA), also known as multi-factor authentication, is the process of authenticating to an online service using something you know as the first factor (i.e. a password) and something you physically have as the second factor. Traditionally, the second authentication factor would be a physical fob or token, with the most popular form having a six-digit display.

Many central online services at the University of Waterloo require two-factor authentication for access. You will need to enrol in 2FA before being able to access these services.
Learn more at the university’s 2fa information page: uwaterloo.ca/2fa.

Why is Waterloo doing this?

Password-based attacks account for most of the cyber-attacks against the University. The COVID-19 pandemic has resulted in a dramatic increase in phishing attacks against UW, and because people frequently re-use passwords, breaches at other sites can still impact the University because of a related attack called “credential stuffing”. In short, the password alone is obsolete. Stronger authentication is required for services on the public Internet. See:

Authenticate with 2FA

First-time Enrollment in Duo https://guide.duo.com/universal-prompt#enrollment

The preferred second-factor option is the Duo Mobile app

The app is available for iOS and Android devices, with or without cellular access
While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available
The app is simple to register and use. It functions in various modes, with or without cellular data or Wi-Fi connection
Any Duo-protected application can be authenticated with the app. It is not necessary to disclose the phone number for a smartphone to use the app

System requirements

Duo Mobile System Requirements

Android: the current version of Duo Mobile supports Android 10.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android. More information from DUO: Duo Mobile on Android
iPhone: The current version of Duo Mobile supports iOS 14.0 and greater. More information from DUO: Duo Mobile on iOS

SMS and phone call Two Factor Authentication (2FA) are being phased out for employees. Employees who don't have a mobile phone or tablet, or would prefer an alternate option, can request a token using the 2FA token request form.
Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.
If you need to remove a device or replace a phone that was lost or stolen, please refer to the article Removing a device or replacing a lost or stolen token

Optional: You may choose to purchase a token to have a backup should you not have access to your mobile phone or your device of choice.

Optional: You may add multiple Duo Mobile devices to your 2FA account. The Duo Mobile app is available for recent Android (phone, tablet) and iOS (iPhone, iPad) devices. Duo Mobile can also be installed and set up on Chromebooks.

Download the Duo Mobile app onto your mobile device

From your app store install the “Duo Mobile” app by Duo Security