2FA/Duo

Request a security key | Sign up for Duo 2FA | Adding a device | Adding a second device | Configure your device settingsAuthenticate using Duo

Prerequisites

To sign up for Duo 2FA, you will need either a mobile phone, tablet, or security key (e.g. YubiKey, U2F).

  • If you are using a mobile phone or tablet, download the Duo Mobile app.
  • If you are an employee, you can submit a request for a security key instead of using a mobile device for two-factor authentication.
  • If you a student, alumni, co-op, contract staff, or retiree, you can purchase a YubiKey or Hardware Token through Amazon or another vendor instead of using a mobile device for two-factor authentication.

Sign up for Duo 2FA

You can follow these instructions to add your first two-factor authentication method.

  1. In your browser, go to the Duo Device Management Portal.
  2. Enter your WatIAMuserid@uwaterloo.ca and your WatIAM password when prompted, then click "Sign in".
  3. Select the type of device from the list, then click "Continue" to begin adding it.
  4. Navigate to the instructions for adding your device(s): mobile phone, tablet, or security key.

Adding a device

These instructions explain how to add the various types of devices in Duo.

Mobile phone | TabletSecurity key

Mobile phone

  1. Go to the Duo Device Management Portal.
  2. Select your country's area code using the drop down menu and then enter your phone number.
  3. Verify it is correct, then click "Continue".
  4. If you haven't already, download the Duo Mobile App on your phone and click "Next".
  5. Select the type of phone you are using (e.g. iPhone, Android, etc…), then click "Continue".
  6. In the Duo setup wizard, a QR code will be displayed.
  7. Open the Duo Mobile App on your mobile phone and select "Use a QR Code".
  8. You may be prompted to allow access to your camera, select "Allow/OK" and scan the QR code.
  9. Click "Continue" (This button will be locked until scanning is complete).
  10. Optionally, configure your device's settings.
  11. Your mobile phone is now set up for two-factor authentication with Duo.

Tablet

  1. Go to the Duo Device Management Portal
  2. Select your tablet's operating system (e.g iOS, Android, etc.) then click "Continue".
  3. In the Duo setup wizard, a QR code will be displayed.
  4. Open the Duo Mobile App on your tablet and select "Use a QR Code".
  5. You may be prompted to allow access to your camera, select "Allow/OK" and scan the QR code.
  6. Click "Continue" (This button will be locked until scanning is complete).
  7. Optionally, configure your device's settings.
  8. Your tablet is now set up for two-factor authentication with Duo.

Security key (device must support OTP for VPN authentication)

  1. Go to the Duo Device Management Portal.
  2. Ensure that pop-up windows are enabled on your computer.
  3. A prompt will appear to insert and tap your security key immediately after pressing “Continue” in the Duo setup wizard.
  4. Optionally, configure your device's settings.
  5. Your security key is now set up for 2FA authentication with Duo.

Adding multiple devices

If you have already enrolled a device, you can also add another device as an authentication method by following the steps below:

  1. Log into the Duo Device Management Portal.
  2. Complete the 2FA prompt using your first device.
  3. Click "+Add another device" and select your device type from the list.
  4. Navigate to the correct instructions below for your specific type of device: mobile phone, tablet, or security key

Configure your device settings

Select a default device / 2FA method | Reactivate Duo | Change device's name | Delete a device

After you have added one or more devices to your 2FA you can configure your device settings using the Duo Device Management Portal. The options available in this portal include:

  • Select a default device and two-factor authentication method
  • Reactivate Duo in the case you have gotten a new device 
  • Change your device's name 
  • Delete your device

Select a default device/2FA method

Duo can be configured to automatically send you an authentication request using your preferred authentication method. If the settings of your device are not configured you will be asked to choose an authentication method each time you use 2FA.

  1. In the Duo Device Management Portal where it says "Default Device", select your desired default device from the drop down menu.
  2. Select your desired authentication method from the "When I log in" drop down menu. 
    1. These options will vary depending on what type of device you are using.
  3. Click the "Save" button.

Reactivate Duo

  1. In the Duo Device Management Portal click the blue "Device Options" button beside the device you want to reactivate. 
  2. Click "Reactivate Duo Mobile".
  3. Follow the correct instructions for your device: mobile phone, tablet, or security key.

Change device name

  1. In the Duo Device Management Portal click the blue "Device Options" button beside the desired device. 
  2. Click the blue "Change Device Name"  button.
  3. Enter the desired device name then click the green "Save" button. 

Delete a device

  1. In the Duo Device Management Portal click the blue "Device Options" button beside the desired device. 
  2. Click the red trash can icon.
  3. Click "Remove".
    1. This action cannot be undone. Please ensure you are removing the correct device.

Authenticate using Duo

Campus VPN | ADFS

Campus VPN

To connect to the campus VPN, you must enter your WatIAM credentials, followed by a second password. The second password defines the second factor you've chosen.

Second factor Second password field
Duo push notification type: push (for multiples, push1 or push2 ...)
Phone call type: phone (for multiples phone1 or phone2 ...)
Test message (SMS) type: sms (for multiples, sms1 or sms2 ...)
IST provided YubiKey

place cursor in second password field and touch token

(non-IST-provided hardware auth devices must be programmed for OTP and registered with IST)

Duo hardware token or bypass code type the passcode in the second password field

ADFS (Active Directory Federation Service)

When you log in to a university site such as Learn, Portal or, Quest, you are logging in using the ADFS portal. To login, via the ADFS portal, you will need your WatIAM credentials followed by a successful 2FA authentication of your login attempt.

To authenticate your login attempt through ADFS:

  1. Select your preferred method of 2FA authentication. If you have pre-selected a default preferred authentication method in Duo, a 2FA request will be sent automatically.
  2. Approve the authentication request using your preferred method.

‎