Two-factor Authentication

What is two-factor authentication?

Two-factor authentication (2FA) adds an extra layer of security to your University accounts.

Verifying your identity using a second factor (like your phone or other mobile device) prevents others from accessing your accounts, even if they know your password.

How it works

Logging into 2FA protected sites and applications is as simple as accepting a notification on your phone, plugging in an authenticator, or entering a PIN from a text message or phone call. Enrol once to protect all of your supported services.

enter password as usual

Enter your password

verify your identify using your phone

Use your phone to verify your identity

you are securely logged in

You're securely logged in

Watch video on YouTube

Check out Duo's text-based enrollment guide

Please note: Should you visit the UWaterloo/DUO site and begin the enrolment process (i.e. click "Start setup”), but don't complete the process, you will be considered opted in and will be challenged when logging into 2FA protected applications or websites.

Select a second factor tool and manage your devices

There are a number of criteria to consider in selecting a second factor option.

Already enrolled? Visit the Device Management Portal to add a device or manage an existing device.

Supported services

Outlook Web App (OWA)
Workday

Microsoft Office 365 web portal
Concur
Unit4

Quest
LEARN*

*2FA will be enabled on LEARN for off-campus access to the system

If you're a service owner looking to implement 2FA, please email rt-ist-iss-general@rt.uwaterloo.ca for more information.

Questions?

Isn't my password enough?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you could be locked out of your account, or you might not even know someone is accessing it. With 2FA, you'll be alerted right away (on your phone) if someone is trying to log in as you.

I've switched devices and/or need to reactivate Duo Mobile

If you get a new phone, or if you’ve re-installed the Duo Mobile app, you'll need to re-activate Duo Mobile. You may enrol your new device yourself using the device management portal.

You will need to log in using a 2FA device already configured to your account. If the device you are replacing is your only 2FA device and you no longer have access to it, submit a ticket to RT for help adding your new device.

What does U2F stand for?

U2F (Universal 2^nd Factor) is an open standard to allow USB and near field communication (NFC) 2FA devices to interface with web browsers. It is currently only well supported in Chrome. Development is underway by Duo and major browsers to accommodate U2F integration via WebAuthn.

Where can I get a U2F authenticator?

U2F is an open standard with many devices that support it. U2F authenticators can readily be purchased from electronics retailers.

What happens if I lose my phone or my U2F authenticator?

Devices can be added or removed in the device management portal.

If you are unable to log in to the device management portal at all, contact the IST Service Desk to have the lost device disabled, and to have an alternate added.

I am unable to add a U2F authenticator

Some browsers do not support U2F authentication. Please use a browser that supports U2F if you wish to use this authentication method.

Can I have Duo/2FA on multiple devices?

Yes, a user can configure several devices on their Duo account via the device management portal. As well, multiple devices of the same type can be added.

How will 2FA impact the use of my email on third party sites?

Your email can still be used on third party sites with no consequence. 2FA will only be applied to the supported services listed above.

What if I don't want to use the DUO mobile app?

Employees who require an authenticator as part of their job and would prefer not to download and use the DUO mobile app on a personal device may request an authenticator (DUO hardware token) from IST.

Employees who do not require an authenticator as part of their job and all Waterloo students may purchase a U2F key from an external provider for personal use, if desired.

Who can request a DUO hardware token?

Individual employees or department heads may submit a request to IST. Complete the request form https://uwaterloo.ca/request-tracking-system/2fa-token-request or visit an IST Service Desk.

When visiting a Service Desk to receive a token, remember your photo identification to provide proof of your identity.

How much does a DUO hardware token cost?

IST will cover the cost of the employee's first DUO hardware token.

Replacing and reprogramming hardware tokens

Lost or stolen tokens can be replaced by the employee's department at a cost of approximately $40 via the IST Webstore. Employees should report a lost or stolen token via https://uwaterloo.ca/request-tracking-system/2fa-token-request or by visiting an IST Service Desk.
DUO hardware tokens can be reprogrammed for use by a new/different employee. Please submit a request via https://uwaterloo.ca/request-tracking-system/2fa-token-request or by visiting an IST Service Desk.
Defective tokens can be replaced by IST. Return the defective token to avoid incurring a replacement charge. Please submit a request via https://uwaterloo.ca/request-tracking-system/2fa-token-request or by visiting an IST Service Desk.
Tokens can be retired when an employee leaves the University. Please return the token to an IST Service Desk or your department administrator.

When visiting a Service Desk to receive a token, remember your photo identification to provide proof of your identity.