Two-Factor Authentication

All staff are encouraged to enable two-factor authentication if they are wanting to log into University resources from off campus.

Two-Factor Authentication – also known as 2FA, or two-step verification – is an extra layer of security that ensures a person trying to log into an online account is who they say they are. Logging in via 2FA requires not only a username and password, but also something that only that user has, such as a piece of information only they would know, or a mobile device, or a physical token. At the University of Waikato we are implementing Duo 2FA and adopting the use of a mobile phone or tablet as our preferred second security layer.

Two-factor authentication will significantly increase the security of off-campus access to University resources, especially mitigating the impact of phishing. This will greatly improve the security of the University’s overall network by limiting the cases of hacked and corrupted user accounts.

The two-factor authentication means that staff will no longer have to change their password.

Before registering for two-factor authentication, please ensure you are currently using a strong password (preferably a passphrase). Please set a new strong, memorable password using the Password Changer tool on the staff homepage prior to enrolling for 2FA.

Table of Contents:

• Registering for 2-Factor Authentication
• Authenticating with Duo
• Adding or changing devices in Duo
• Removing a device from Duo
• Further Information

Registering for 2-Factor Authentication (2FA)

Duo is the University’s external provider of two-factor authentication security. To register for 2FA:

1. Visit the Duo two-factor enrolment page
2. Login with your University of Waikato login as required
3. Click Start Setup then follow the instructions. You will need to have your mobile device handy
   
   


4. Duo will offer several options for your two-factor device. We recommend using a Mobile Phone as the registered device.
   
   


5. Select Country and confirm your mobile number.
   Please note that you can leave off the leading 0 on your mobile number. (i.e. if your phone starts with 021, 022 or 027, you can just enter 21, 22 and 27).
   Ensure the tick box beneath has the correct mobile number displayed and tick to verify. 
   
   


6. On the next page, confirm which type of phone you have:
   iPhone
   Android
   
7. Once you have selected the device type, you will be directed to download the Duo Two-Factor Authentication app from your devices app store.
   Please note the below links are to be used from your registered device only.
   For Android devices, you can download it here on the Google Play Store
   For Apple iOS devices, you can download it here in the App Store
   
   
8. Once the app has been downloaded, follow the instructions on your device to open the application and press the "+" icon in the top right corner of the app. It will require you to scan the barcode on the screen:
   
   

Once registered you will be required to use two-factor authentication when accessing University systems via single-sign-on (applications and web pages requiring you to log in via the University Login page) from off-site. However, you have the option to select “Remember this device for 30 days”, so that two-factor authentication is required less often. (If you are using a device that is not yours, is public (e.g. internet cafe), or one you feel is not secure, we recommend not selecting this option.)

Authenticating with Duo

When accessing University of Waikato Systems and Services off campus, Duo will require you to verify your login with an extra step to verify your identity. Below are the recommended methods for authenticating with Duo

Recommendation 1- Duo Push

Duo Push is available via the Duo App on your smartphone or tablet.  This is recommended as the easiest and quickest way of authenticating for most users but is reliant on you having your smart device with you in whatever location you are logging in from.





The Duo App works on most modern smartphones and tablets.  Duo Push does not cause any delay for the authenticator (other than navigating the app or any specific network lag) and does not incur any additional costs for the University.  You can enrol your use of the Duo App at https://duo.waikato.ac.nz. The Duo App uses minimal storage and resources and operates independently of any University systems and controls, so it can be readily used on personal devices.

Duo Push does require your device to be online (connected to a cellular or wifi network), however, the Duo App can work in offline mode too as it can generate passcodes by clicking on the key icon:



Recommendation 2 – Yubikey
If you prefer a physical hardware solution or if you travel regularly (particularly if there is mixed cellular coverage) or if you often do not have your smart device with you, then Yubikey is the recommended option for you.  This is a USB second-factor authentication device that slots into a USB port on the computer you are using.  These keys are small and discrete and can be obtained directly from your Client Technology Support team.  Once you have a Yubikey you will not need to use the Duo App or SMS Text service.



Recommendation 3 – SMS Text
The text message option is recommended for those who do not have a smartphone or tablet that can run the Duo App, or who are only required to connect to the University network on a more irregular basis (such as while attending conference or training course).  The SMS Text message process is a much better option than Call Me (the Duo system calling you) as Duo will text a batch of 10 codes for you to use in one message, and once you have used all 10 codes (Duo prompts you which of the 10 codes to use next) Duo will automatically send you another batch.
ITS strongly recommends the use of Duo Push or Yubikeys for those staff who are high users of the service as this reduces the demand on the Call Me or SMS Text credits, and makes authentication easier for staff.

Not using Duo Mobile app?

If you have chosen not to use the Duo Mobile app on your phone but have provided your mobile number you can use Passcodes. Passcodes are sent via SMS (txt) to your mobile phone in blocks of 10 at a time. You can request more Passcodes yourself but this must be done before you run out, otherwise you will need to ring the ITS Service Desk (07 838 4008 or ext 4008) and request more Passcodes.

Request more Passcodes

Before you run out of Passcodes, go to duo.waikato.ac.nz and click on 'Enter a Passcode", from the login screen select 'Text me new codes', this can be found on the blue bar at the bottom of the login screen (see image below).

Adding Devices from Duo

If you are already enrolled in Duo Two-Factor Authentication, you are also able to add and remove devices from this service at any time. You will especially need to do this each time you get a new device as you will need to reactivate the Duo Mobile app on each device individually.

To add a device you will need to:

You will see the My Settings & Devices page.

To add another device, click the +Add another device link on the page. This will take you through steps 4-6 of the registration process where you

Confirm which type of device it is. This will direct you to the appropriate link to download the software for your device

Removing a Device from Duo

To remove a device you will need to :

1. Login to https://duo.waikato.ac.nz
2. Authenticate using one of the above-recommended options. (Duo Push using the mobile app is recommended)



3. You will see the My Settings & Devices page.
   
4. Click Device Options next to the device you would like to remove / de-register from Duo.
5. Click the icon beside the device you want to remove from Duo.
   Note: This option will not be available if you only have one device registered. This is because at least one device needs to be active in order for you to use Duo Two-Factor Authentication to log in.

Further information:

Want to know more about Duo?

Further information on how the Duo App works can be found here: https://guide.duo.com/ or alternatively, talk to your local ICT Support team to discuss how to get the most out of Duo.
There is also set of FAQ’s located on the ICT Self Help pages here

Thank you in advance for considering a more cost-effective 2FA option