Two-factor Authentication

Helpful resources

Enrol your mobile device in the Duo Mobile App
Add a second and/or backup device should you lose/forget your primary device
Learn how to generate backup, single-use authentication codes
Learn more about other second-factor options
Review 2FA FAQ’s and learn more about this change

When logging in to a supported system, select the Remember me for 30 days option to reduce the number of authentication prompts received for that system
Employees who would prefer to use a token authenticator should complete the 2FA Token Request form (Note: this process takes approximately three weeks)
Duo 2FA and the virtual private network (VPN)

About two-factor authentication (2FA)

What is two-factor authentication?

Two-factor authentication (2FA) adds an extra layer of security to your University accounts.

Verifying your identity using a second factor (like your phone or other mobile device) prevents others from accessing your accounts, even if they know your password.

Watch the 2FA recorded seminar to learn more! (authentication required)

Do I have to use 2FA?

2FA is required by all University students and employees to access 2FA supported services.

You are encouraged to enrol in this service using the Duo Mobile App for the most secure and convenient 2FA experience. Don't have a phone or would prefer an alternate option? See our list of second-factor alternatives or contact your 2FA Change Champion for support.

2FA supported services

Office 365 web portal
Outlook web app (OWA)
LEARN, Quest
Workday, Concur, Unit4
Campus virtual private network (VPN)
Other applications that support single sign-on

How does it work?

Logging into 2FA protected sites and applications is as simple as accepting a notification on your phone, plugging in an authenticator, or entering a PIN from a text message or phone call. Enrol once to protect all of your supported services.

Helpful tip: Reduce the number of authentication prompts you receive from an applications each month by selecting Remember me for 30 days.

enter password as usual

Enter your password

verify your identify using your phone

Use your phone to verify your identity

you are securely logged in

You're securely logged in

Get started

Ready to add your device?
Go to: https://2fa.uwaterloo.ca/duo/enrol

Watch video on YouTube

Please note

If you begin the enrolment process, but don't complete it, you will be considered opted in and will be challenged when logging in to 2FA protected applications or websites. 2FA is required to access many campus systems.

Text-based guide

IST has created a text-based enrollment guide you may prefer to review.

View the enrolment guide.

System requirements

Download the Duo Mobile app

Select a second factor tool and manage your devices

There are a number of criteria to consider in selecting a second factor option.

Already enrolled? View our Duo device management support article and then visit the Device Management Portal to add a device or manage an existing device.

See what your colleagues and classmates are saying about 2FA

“As someone with elevated access in Workday 2FA provides an added layer of security on my account. It is comforting to know that if my account is compromised there is that additional safety net protecting myself and the campus.”

Trevor Ridgway

HR Systems Support Administrator

“I’m really liking the 2-factor authentication. Really smooth and easy."

Kelly Grindrod

Associate Professor, School of Pharmacy

"2FA has provided us with an additional layer of comfort for technologies that manage HR and employee sensitive information. We can be assured that if log in information is compromised, 2FA provides an additional layer of protection to ensure that our data and processes are protected against misuse.”

Kimberly Snage

Director, HR Projects, Technology & Analytics

“The 2FA is an extra precaution to password protection. The setup of the 2FA was simple; you received your 2FA and when you logged in, you pushed the button on it and it gave you a number to type in. It also let you set up whether you wish to use just your 2FA, or set up the DUO App (cell phone) and use both. I choose the DUO as I did receive two 2FA’s that did not work very well so I now just use my cell phone and do not have the Token.

I would recommend the 2FA because it gives that added password protection and peace of mind.”

- Linda Bloos, Records Coordinator - Environment and Arts, Registrar’s Office

“All employees in our unit were required to use 2FA since September 2019 to protect data we access daily. Instructions provided were clear and it was easy to set up. When on campus, I use the token since it's on my key chain and I always have my keys with me. But since transitioning to working from home, I've also transitioned to using the Duo App since I don't carry my keys and my mobile phone is always nearby. After a while, you do get used to having to confirm your log in request via 2FA and it becomes second nature and part of the normal sign in process.”

Danielle Jeanneault, Editor, Undergraduate Calendar and Manager, Communications
Registrar's Office

“Two-Factor Authentication (2FA) is an extra step in logging on to web pages to make sure it's really you who's trying to access the site and, ultimately, your important information. Beside your typical username and password, 2FA asks you to confirm that you're actually the person accessing the account.

At Waterloo, the most common way is for you to get a notification either on your phone - through an app or a text message - or on a special device (that the University provides) called a token. After you've entered your username and password, the system will send you a request on your phone or on the token. You can either directly confirm it's you on the app or token, or you can get a code by text that you would input on the web page.

I've been using 2FA for Quest and other UW systems for more than a year. The setup was really easy and using the software doesn't cause any real problems, as long as you have your phone or the token handy. After a little while, you start to remember to keep these things with you when you're accessing web pages that need them.

The 2FA system is also smart enough to not require the additional step every time. For your email, you only have to go through the 2FA system once per month. For quest, you only have to do it once per day. The added safety that 2FA offers is really important to the security of our systems. If the CRA had used 2FA, the recent data breach that allowed 6000 accounts to be hacked wouldn't have been possible. The 2FA system reflects best practices in security and I applaud the University for taking these steps.”

- Jeff Casello Associate Vice-President, Graduate Studies and Postdoctoral Affairs

Questions?

I see a "We're sorry, access is not allowed because you are not enrolled." error message when attempting to log in to some systems (e.g. Quest, LEARN, Office 365). What should I do?

You must enrol in the University's two-factor authentication (2FA) service before gaining access to those 2FA supported systems. Visit https://2fa.uwaterloo.ca/duo/enrol to enrol your device, then attempt to log in to the system again.

Example of error message:

Enrol error message

How do I connect to the virtual private network (VPN) using 2FA?

Follow the steps outlined in the Duo 2FA and the VPN knowledge base support article.

Isn't my password enough?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you could be locked out of your account, or you might not even know someone is accessing it. With 2FA, you'll be alerted right away (on your phone) if someone is trying to log in as you.

Can I have Duo/2FA on multiple devices?

Yes, you can configure several devices on your Duo account via the device management portal. As well, multiple devices of the same type can be added.

What are the mobile device requirements for using Duo 2FA?

Android: the current version of Duo Mobile supports Android 7.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android.

iPhone: The current version of Duo Mobile supports iOS 12.0 and greater. Support for older Duo Mobile versions on iOS 10.0 ended December 1, 2020..

I've switched devices and/or need to reactivate Duo Mobile

If you get a new phone, or if you’ve re-installed the Duo Mobile app, you'll need to re-activate Duo Mobile. You may enrol your new device yourself using the device management portal.

You will need to log in using a 2FA device already configured to your account. If the device you are replacing is your only 2FA device and you no longer have access to it, submit a request via the IST Jira Help Portal for help adding your new device.

What if I can't or don't want to use the Duo Mobile App?

Employees who don't have a mobile phone or tablet, or would prefer an alternate option, can request a token using the 2FA token request form.

Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.

Please also visit the IST Knowledge Base for a list of alternate second-factor options.

How much does a Duo hardware token cost?

IST will cover the cost of the employee's first Duo hardware token.

How do I replace and/or reprogram hardware tokens?

Lost or stolen tokens can be replaced by the employee's department at a cost of approximately $40 via the IST Webstore. Employees should report a lost or stolen token via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/3/create/694 or by visiting an IST Service Desk.
Duo hardware tokens can be reprogrammed for use by a new/different employee. Please submit a request via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660 or by visiting an IST Service Desk.
Defective tokens can be replaced by IST. Return the defective token to avoid incurring a replacement charge. Please submit a request via https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660 or by visiting an IST Service Desk.
Tokens can be retired when an employee leaves the University. Please return the token to an IST Service Desk or your department administrator.

When visiting a Service Desk to receive a token, remember your photo identification to provide proof of your identity.

What if I don't have a phone?

Employees who don't have a mobile phone or tablet can request a token using the 2FA token request form

Waterloo students may purchase a U2F key from an external provider, such as Amazon, for personal use, if desired.

Please also visit the IST Knowledge Base for a list of alternate second-factor options.

What is a U2F authenticator and where can I get one?

U2F (Universal 2^nd Factor) is an open standard to allow USB and near field communication (NFC) 2FA devices to interface with web browsers. It is currently only well supported in Chrome. Development is underway by Duo and major browsers to accommodate U2F integration via WebAuthn. U2F authenticators can readily be purchased from electronics retailers, such as Amazon

What happens if I lose my phone or my U2F authenticator?

Devices can be added or removed in the device management portal.

If you are unable to log in to the device management portal at all, contact the IST Service Desk to have the lost device disabled, and to have an alternate added.

You may choose to purchase a token to have as back up should you not have access to your phone.

I am unable to add a U2F authenticator

Some browsers do not support U2F authentication. Please use a browser that supports U2F if you wish to use this authentication method.

Why can’t I use Google Authenticator (or others like Authy or FreeOTP) with Duo 2FA?

Duo 2FA does not provide support for software OTP applications like Google Authenticator, Authy and FreeOTP. While local support for these apps is being developed at Waterloo, the Duo Mobile app does provide an improved user experience. Duo Mobile push functionality will simply prompt you to acknowledge your login on your mobile device, without the need to type in a numeric code.

How will 2FA impact the use of my email on third party sites?

Your email can still be used on third party sites with no consequence. 2FA will only be applied to the supported services listed above.

How will 2FA impact generic accounts?

Questions regarding the impact of 2FA on a generic account should be submitted to rt@uwaterloo.ca.

I am a retiree. How will this change impact me?

Please review the Duo 2FA for Retirees document to learn more.

I'm a service owner looking to implement 2FA, what should I do?

Please visit the 2FA service entry on the IST website, or send an email to rt-ist-iss-general@rt.uwaterloo.ca for more information.

Where can I find Duo's privacy and security information?

Please see Duo's Privacy Data Sheet, https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/cisco-duo-privacy-data-sheet.pdf.

Where can I learn more about Duo and two-factor authentication?

Visit the IST Knowledge Base for how-to guides and resources on 2FA.

What do I do with an unexpected 2FA notification?

If you receive an unexpected 2FA notification, choose the “Deny” option and indicate that the 2FA notification is suspicious. This will alert the Security Operations Centre (SOC) that a potentially malicious logi n has been attempted and SOC staff will investigate further. You should then visit the WatIAM page to change your password.

If you approved a 2FA push notification that you are now suspicious of, you can report it to the SOC, soc@uwaterloo.ca, for investigation. See also, Where is that push coming from?

Android device - deny prompt
Android deny push