Register at least two devices — and always include the Duo Mobile app. A platform authenticator such as Touch ID is tied to one device. If that device is not with you (your Touch ID MacBook is at home, for example), you cannot authenticate and must request a one-time bypass code from the Technology Help Desk before you can sign in. Enrolling the Duo Mobile app on your phone as a second method prevents that lockout.
Overview
Pitt Passport supports several authentication methods beyond Duo Push, including phishing-resistant options like passkeys, platform authenticators, and FIDO2 security keys. This article describes every available method, its requirements, and when to use it. For step-by-step setup instructions, see Setting Up Multifactor Authentication with Duo.
Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring multiple “factors” to verify your identity when you log in to a service:
- Something you know: A password, PIN, or personal security questions.
- Something you have: A mobile phone, security key, or smart card that generates or receives a one-time code or serves as a physical key.
- Something you are: Biometric authentication such as fingerprints or facial recognition.
Recommendation: Enroll at least one phishing-resistant method.
Platform authenticators, FIDO2 security keys, and 1Password passkeys are all phishing-resistant — they cryptographically verify you are signing in to the real Pitt Passport site, not a look-alike. We recommend enrolling at least one of these methods in addition to Duo Push. See the comparison table below to decide which is right for you.
What You See at Login
After you register a device, the Duo prompt appears whenever you sign in to a service protected by Pitt Passport. Select your registered method to complete the second step of authentication.

If you have more than one device registered, select Other options to choose which one to use. Once you select a method, Duo continues to use it automatically until you change it.
Reporting a Fraudulent Login Request
Critical: Never approve a login request you did not start.
If a Duo Push notification, phone call, or passcode prompt appears when you were
not signing in, someone may be attempting to use your stolen password. Do not approve it — report it:
- Duo Push: tap Deny, then choose to report it as fraudulent. Select It was a mistake only if the prompt was your own accidental login attempt.
- Phone call: press 9 to report the call as fraudulent.
Reporting a request as fraudulent alerts Pitt Digital Security to a possible compromised password. If you report a fraudulent request — or receive repeated unexpected prompts — change your Pitt Passport password right away and contact the Technology Help Desk at 412-624-HELP (4357).
How These Methods Compare
Use this table to decide which methods to enroll. Everyone should register at least two methods from different categories, and one of them should be the Duo Mobile app. A single method is a single point of failure: if you lose or are away from that one device, you are locked out until the Help Desk issues a bypass code. See the banner at the top of this article.
Authentication methods compared by security, convenience, and resilience
| Consideration |
Platform Authenticator |
FIDO2 Security Key |
1Password Passkey |
Duo Push |
SMS / Phone Call |
| Phishing-resistant |
✓ YES |
✓ YES |
✓ YES |
PARTIAL |
✗ NO |
| Works offline |
✓ YES |
✓ YES |
✓ YES |
PASSCODE ONLY |
✗ NO |
| Survives device loss |
PARTIAL |
✓ YES |
✓ YES |
✗ NO |
PARTIAL |
| Syncs across devices |
ECOSYSTEM ONLY |
✗ NO |
✓ YES |
✗ NO |
N/A |
| Nothing to purchase |
✓ YES |
✗ NO |
✓ YES |
✓ YES |
✓ YES |
Authentication Options
Select a section below to expand its requirements and setup details.
🔐 Platform Authenticators (Touch ID, Face ID, Windows Hello, Android Biometrics) PHISHING-RESISTANT
Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Because they use biometrics or a device PIN, there is nothing to carry separately — but because they are tied to a specific device, losing or being away from that device means losing that factor. You can self-register a platform authenticator at any time; no prior authorization is required.
Important: Also register the Duo Mobile app.
A platform authenticator only works on the device it is built into. If that device is not with you — for example, your Touch ID MacBook is at home — you cannot authenticate and must request a one-time bypass code from the
Technology Help Desk at 412-624-HELP (4357). Enroll the
Duo Mobile app on your phone as a second method so you always have a way to sign in.
Touch ID on Mac
Requirements:
Touch your Mac's Touch ID sensor when prompted to log in. If you cannot access the Touch ID sensor (such as when you close and dock your laptop), you can type your Mac login password instead. If you need to cancel a Touch ID authentication in progress, select the cancel option shown by your browser, outside of the Duo Universal Prompt.
Face ID or Touch ID on iPhone or iPad
Requirements:
- An iPhone or iPad that supports Face ID or Touch ID.
- Face ID or Touch ID already set up on the device. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
- iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.
Depending on the option your device supports, you will either scan your face to use Face ID or scan your fingerprint to use Touch ID when logging in.
Windows Hello
Requirements:
- A device running Windows 10 or later.
- Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
- A supported browser: Chrome, Edge, or Firefox. Refer to the Duo browser support table. Note that Chrome Incognito and Edge InPrivate browsing will not work with Windows Hello, but will work with security keys.
Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition to log in to Duo.
Android Biometrics
Requirements:
Follow your device's prompt to scan your fingerprint or use facial recognition to log in to Duo.
If a platform authenticator is your only method
A platform authenticator only works on the device it's built into. If you remove your other methods (Duo Mobile, phone number) and keep only a platform authenticator, you'll be able to sign in only from that one device and browser — for example, if you set up Duo in Safari on your iPhone and that's your only method, you can sign in only on that iPhone. On any other device you'll be prompted for a bypass code from the Help Desk. This is exactly the lockout the banner at the top of this article warns against.

If this happens, you can fix it yourself from the device you originally set up on:
- Sign in to accounts.pitt.edu on the device you used to set up Duo.
- Go to Login & Security (shown at the top on a computer, or under the three-line menu on a phone).
- Select Add/Manage Pitt Passport Devices.
- Complete Duo authentication, then select Add a Device.
- Select Duo Mobile, or Phone number if your device doesn't support Duo Mobile.
- Follow the on-screen setup. Once the new device is added, you'll no longer be prompted for a bypass code on other devices.
🔑 FIDO2 Security Keys PHISHING-RESISTANT
A FIDO2 security key is a small USB or NFC device that plugs into your computer or taps against your phone. When tapped or when the button is pressed, it sends a cryptographically signed response back to Duo that validates your login and proves you are on the legitimate Pitt Passport site. Duo uses the WebAuthn authentication standard (also referred to as “FIDO2”) to interact with security keys.

Requirements
Important: U2F-only keys are not supported.
Older U2F-only security keys (such as the YubiKey NEO-n) cannot be used with Duo's Universal Prompt. Ensure your key is FIDO2/WebAuthn compatible.
Where to Purchase
FIDO2-certified keys are available on CDW-G, Amazon, and most major electronics retailers, typically starting around $25–$55. Departments may choose to fund keys — check with your business manager. Pitt does not provide security keys to users.
Tip: Choose a key with both USB-C and NFC so it works with laptops and phones alike. Consider purchasing two so you have a backup stored separately.
🔒 1Password Passkeys PHISHING-RESISTANT
The University supports 1Password, which can serve as both your password vault and your passkey manager. Passkeys stored in 1Password sync across all your devices — Mac, Windows, iOS, and Android — so if a device is lost or wiped, your passkeys are recoverable the moment you sign in to 1Password on another device. This solves the biggest limitation of platform authenticators: being locked to a single device or ecosystem.
Tip: Save passkeys in 1Password for cross-device access.
When a website or app offers to create a passkey, 1Password can store it in your vault instead of locking it to a single device. This is especially valuable if you use multiple computers or travel frequently. See
Passkeys in 1Password for supported sites and setup details.
Get Your 1Password Account
📱 Duo Push (Smartphone, Tablet, or Apple Watch)
Once you download the Duo Mobile app and enroll your smartphone, Duo Push is the fastest and most convenient authentication method. When you log in to a Pitt Passport service, a push notification appears on your device — tap Approve to authenticate. If a request appears when you were not signing in, do not approve it — see Reporting a Fraudulent Login Request above.
Requirements
- A smartphone, tablet, or Apple Watch with the Duo Mobile app installed.
- An internet connection (Wi-Fi or cellular data) to receive push notifications.
Tip: You can also generate a passcode at any time from within the Duo Mobile app, even without a Wi-Fi or cellular data connection. Open the app and tap University of Pittsburgh to generate a passcode, then enter it when prompted at login.
For setup instructions, see Setting Up Multifactor Authentication with Duo.
📞 SMS Passcode, Phone Call, or Landline BEING PHASED OUT
Pitt's instance of Duo currently supports authentication via phone call and SMS passcodes to cell phones and landlines.
Warning: These methods are being phased out.
SMS and phone-call authentication are not phishing-resistant and are vulnerable to SIM-swapping and interception. They will be replaced by more secure methods. We strongly recommend transitioning to a platform authenticator, security key, or 1Password passkey as soon as possible.
How These Methods Work
- SMS passcode: A one-time code is texted to your phone. If you do not have a code, select Text me new codes, then enter the code and select Log In.
- Phone call: Duo calls your phone or landline. If you started the login, press 1 to approve. If you were not expecting the call, press 9 to report it as fraudulent.
Note: UPMC Children's Hospital landlines.
If you use the phone-call option on a UPMC Children's Hospital landline, press #, then 4, then 1 to approve the request — or press #, then 4, then 9 to deny it.
If you currently rely on SMS or phone-call authentication, plan to enroll at least one additional method from the options above before these methods are retired.
How to Enroll
For Duo Push (smartphone setup): Follow the step-by-step instructions in Setting Up Multifactor Authentication with Duo.
For passkeys, platform authenticators, and security keys:
- Sign in to Pitt Passport from a trusted network.
- Navigate to Security Info and select Add sign-in method.
- To register a FIDO2 key, choose Security key. To register Touch ID, Face ID, Android biometrics, or Windows Hello, choose Passkey.
- Follow the on-screen prompts. You will verify with your current method first.
- Repeat to add additional methods. Register at least two methods from different categories, and make sure one of them is the Duo Mobile app.
- Test each method by signing out and signing back in, selecting the new authenticator at the prompt.
During first-time enrollment, Duo prompts you to add another device before completing setup. Register a second method at this step rather than selecting the skip link; it is the simplest way to prevent a future lockout.

If you travel internationally, passkeys and security keys are especially important — they work without cellular service or network connectivity. See Technology Guidelines and Tips for International Travel for travel-specific MFA guidance.
Remembering Your Device
The first time you sign in on a device with the Universal Prompt, Duo asks whether it should trust the device.

Selecting Yes, this is my device lets Duo remember it for 24 hours. During that window you will still sign in to services with your Pitt Passport credentials, but you will not be prompted for Duo a second time. Only choose this on a device you personally control — never on a shared or public computer.
Note: Cookies must be allowed.
Your browser must allow cookies from the duosecurity.com domain for the remembered-device feature to work.