Choosing and Using Duo Authentication Methods

Register at least two devices — and always include the Duo Mobile app. A platform authenticator such as Touch ID is tied to one device. If that device is not with you (your Touch ID MacBook is at home, for example), you cannot authenticate and must request a one-time bypass code from the Technology Help Desk before you can sign in. Enrolling the Duo Mobile app on your phone as a second method prevents that lockout.

Overview

Pitt Passport supports several authentication methods beyond Duo Push, including phishing-resistant options like passkeys, platform authenticators, and FIDO2 security keys. This article describes every available method, its requirements, and when to use it. For step-by-step setup instructions, see Setting Up Multifactor Authentication with Duo.

Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring multiple “factors” to verify your identity when you log in to a service:

  • Something you know: A password, PIN, or personal security questions.
  • Something you have: A mobile phone, security key, or smart card that generates or receives a one-time code or serves as a physical key.
  • Something you are: Biometric authentication such as fingerprints or facial recognition.
Recommendation: Enroll at least one phishing-resistant method.
Platform authenticators, FIDO2 security keys, and 1Password passkeys are all phishing-resistant — they cryptographically verify you are signing in to the real Pitt Passport site, not a look-alike. We recommend enrolling at least one of these methods in addition to Duo Push. See the comparison table below to decide which is right for you.

What You See at Login

After you register a device, the Duo prompt appears whenever you sign in to a service protected by Pitt Passport. Select your registered method to complete the second step of authentication.

The Duo Universal Prompt sign-in window presenting the default authentication method, with an Other options link for choosing a different registered device.

If you have more than one device registered, select Other options to choose which one to use. Once you select a method, Duo continues to use it automatically until you change it.

Reporting a Fraudulent Login Request

Critical: Never approve a login request you did not start.
If a Duo Push notification, phone call, or passcode prompt appears when you were not signing in, someone may be attempting to use your stolen password. Do not approve it — report it:
  • Duo Push: tap Deny, then choose to report it as fraudulent. Select It was a mistake only if the prompt was your own accidental login attempt.
  • Phone call: press 9 to report the call as fraudulent.

Reporting a request as fraudulent alerts Pitt Digital Security to a possible compromised password. If you report a fraudulent request — or receive repeated unexpected prompts — change your Pitt Passport password right away and contact the Technology Help Desk at 412-624-HELP (4357).

How These Methods Compare

Use this table to decide which methods to enroll. Everyone should register at least two methods from different categories, and one of them should be the Duo Mobile app. A single method is a single point of failure: if you lose or are away from that one device, you are locked out until the Help Desk issues a bypass code. See the banner at the top of this article.

Authentication methods compared by security, convenience, and resilience
Consideration Platform Authenticator FIDO2 Security Key 1Password Passkey Duo Push SMS / Phone Call
Phishing-resistant YES YES YES PARTIAL NO
Works offline YES YES YES PASSCODE ONLY NO
Survives device loss PARTIAL YES YES NO PARTIAL
Syncs across devices ECOSYSTEM ONLY NO YES NO N/A
Nothing to purchase YES NO YES YES YES

Authentication Options

Select a section below to expand its requirements and setup details.

How to Enroll

For Duo Push (smartphone setup): Follow the step-by-step instructions in Setting Up Multifactor Authentication with Duo.

For passkeys, platform authenticators, and security keys:

  1. Sign in to Pitt Passport from a trusted network.
  2. Navigate to Security Info and select Add sign-in method.
  3. To register a FIDO2 key, choose Security key. To register Touch ID, Face ID, Android biometrics, or Windows Hello, choose Passkey.
  4. Follow the on-screen prompts. You will verify with your current method first.
  5. Repeat to add additional methods. Register at least two methods from different categories, and make sure one of them is the Duo Mobile app.
  6. Test each method by signing out and signing back in, selecting the new authenticator at the prompt.

During first-time enrollment, Duo prompts you to add another device before completing setup. Register a second method at this step rather than selecting the skip link; it is the simplest way to prevent a future lockout.

The Duo enrollment prompt titled Add one more device, noting that more login options make lockout less likely, and offering Windows Hello (Recommended), Duo Mobile, and Security key, plus a link to skip adding more devices.

If you travel internationally, passkeys and security keys are especially important — they work without cellular service or network connectivity. See Technology Guidelines and Tips for International Travel for travel-specific MFA guidance.

Remembering Your Device

The first time you sign in on a device with the Universal Prompt, Duo asks whether it should trust the device.

The Duo prompt asking Is this your device? with options to remember the device or not remember it.

Selecting Yes, this is my device lets Duo remember it for 24 hours. During that window you will still sign in to services with your Pitt Passport credentials, but you will not be prompted for Duo a second time. Only choose this on a device you personally control — never on a shared or public computer.

Note: Cookies must be allowed.
Your browser must allow cookies from the duosecurity.com domain for the remembered-device feature to work.
Print Article

Related Articles (4)

Drop-In Support provides hands-on help for the personal devices of students, faculty, and staff.
What do do if your Duo hardware token stops working
Get started with multifactor authentication, provided by Duo Security.
This notification from Duo is designed to protect you from unauthorized changes to your account.

Related Services / Offerings (2)

IT SERVICE DELIVERY AND SUPPORT Pitt Digital provides Drop-In Support to provide hands-on help for the personal devices of students, faculty, and staff.
IDENTITY AND ACCESS MANAGEMENT Duo provides multifactor authentication to add another layer of security to your online accounts.