Second factor selection criteria

Factors to consider

There are a number of criteria to consider in selecting a second factor, including:

  • Assurance levels
  • Ease of use
  • Cost
  • Sensitivity of systems and data

Second factor assurance levels

Any 2FA protection provides a higher assurance level than a static password alone affords. Within the realm of 2FA options, some options provide a higher level of security than others. The threshold for the security level appropriate for a given application that is protected with 2FA will vary with the risk posed to that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options will not be allowed.

Preferred second factor option

The preferred option is the Duo Mobile app.

  • The app is available for iOS and Android devices, with or without cellular access
  • While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available
  • The app is simple to register and use. It functions, in various modes, with or without cellular data or Wi-Fi connection
  • Any Duo protected application can be authenticated with the app. It is not necessary to disclose the phone number for a smartphone to use the app

To add a cell phone for SMS and install the Duo Mobile App

To add the Duo Mobile App to a tablet or without providing a phone number

Alternative options

SMS

  • Any phone that can receive SMS messages can receive an OTP code via text message
  • These codes can be used to authenticate with any Duo protected application
  • A user can add a cell phone to their Duo account in the self-service portal

To add a cell phone for SMS and install the Duo Mobile App

To add a cell phone for SMS only

U2F token

  • A U2F token is a great option for Duo authentication for web applications
  • The U2F standard is currently well supported by Google Chrome
  • U2F tokens are relatively inexpensive, with prices starting below $20
  • It is easy for a user to add a U2F token to their Duo account in the self-service portal

To add a U2F Token

OTP Token

  • An OTP token generates single-use codes that can be used to authenticate to any Duo protected application
  • Currently, an OTP token must be added to a Duo account by an administrator

To add an OTP Token, submit an RT rt@rt.uwaterloo.ca 

Phone call

  • Phone call authentication can be used for any Duo protected application that supports push authentication
  • A user can add a phone number to their Duo account for phone call authentication in the self-service portal

To add a phone number for phone call authentication (Landline)

Second factor criteria comparison 

Second factor option

Self-serve enrollment? Phone number required? Cellular network connection required? Wi-Fi connection required?
Duo Mobile app Yes No No

No (only for enrollment)

U2F token Yes No No Yes
OTP token No  No No No
Combined U2F/OTP token Yes (U2F) No No No
SMS Yes Yes Yes No
Phone call Yes Yes

Yes (or landline)

No

Assurance levels

Second factor option Assurance level
Duo Mobile App High
U2F token High
OTP token Moderate - high
SMS Low - moderate
Phone call Low - moderate

 

Need help?

Contact the IST Service Desk at helpdesk@uwaterloo.ca or 519-888-4567 ext. 44357.

 

Was this helpful?
50% helpful - 4 reviews

Details

Article ID: 62242
Created
Thu 9/13/18 9:26 AM
Modified
Tue 9/24/19 1:56 PM