Duo is the multifactor authentication (MFA) service that protects every Pitt Passport login. This article answers the most common questions about enrollment, day-to-day use, lost or replaced devices, push-notification troubleshooting, and international travel. Pitt Digital recommends phishing-resistant methods — platform authenticators (Touch ID, Face ID, Windows Hello) and security keys (YubiKey, Feitian) — over older options like SMS and phone calls. For an overview of every supported method, see Choosing and Using Duo Authentication Methods. For enrollment, see Setting Up Multifactor Authentication with Duo. For lockout recovery, see What Happens if I Become Locked Out of Duo?
Quick Actions
|
✓ MANAGE YOUR DEVICES
accounts.pitt.edu
Add a new phone, reactivate Duo Mobile, rename or remove a device, or set your default authentication method.
Open Account Management →
|
LOCKED OUT
Call the Technology Help Desk
If you've lost access to every registered device, the Help Desk can remove the lost device and walk you through registering a replacement.
412-624-HELP (4357)
|
Recommended Authentication Methods
Not all MFA methods are equal. Modern Duo factors based on the FIDO2 / WebAuthn standard cryptographically bind your login to the real Pitt Passport site, making them resistant to phishing, adversary-in-the-middle attacks, and credential-replay. Older methods (SMS, phone call, hardware OTP tokens) can be intercepted, SIM-swapped, or relayed through a fake login page.
Authentication methods ranked by phishing resistance
| Tier |
Method |
Why |
| ✓ PREFERRED |
Platform authenticator
Touch ID, Face ID, Windows Hello, Android biometrics |
Phishing-resistant (FIDO2/WebAuthn). Built into the device you already use. Nothing extra to carry. Request enablement. |
| ✓ PREFERRED |
Roaming authenticator (security key)
YubiKey, Feitian, other FIDO2 keys |
Phishing-resistant. Portable across devices. Excellent backup method. Works in environments where biometrics aren't available. (Pitt does not supply keys; you purchase your own.) |
| ACCEPTABLE |
Duo Push
Duo Mobile app on smartphone or tablet |
Convenient and widely used. Vulnerable to MFA-fatigue and social-engineering attacks if users approve unexpected prompts. Always verify the prompt was initiated by you. |
| ⚠ DISCOURAGED |
Phone call ("Call Me") |
Vulnerable to SIM-swap attacks and call forwarding. Will be phased out in favor of stronger methods. Avoid for new enrollments. |
| ⚠ DISCOURAGED |
SMS passcodes |
Same SIM-swap and interception risks. Codes can be phished through fake login pages. Will be phased out. Avoid for new enrollments. |
Warning: Currently using SMS or phone-call as your only method?
Add a platform authenticator or security key to your account now. SMS and phone-call factors will be phased out as Pitt aligns with federal guidance on phishing-resistant MFA. See
Choosing and Using Duo Authentication Methods for setup details.
Note: Register at least two devices.
A backup method (a second phone, tablet, or a hardware security key) is the single most important thing you can do to avoid a lockout. There is no limit to the number of devices you can register.
The Basics
Select any question below to expand the answer.
❓ What is multifactor authentication?
Multifactor authentication (MFA) adds a second verification step to your login — after you enter your username and password, you confirm the login on a device you control. This prevents unauthorized access even if your password is stolen or guessed.
At Pitt, MFA is required for any service that uses Pitt Passport, the University's single sign-on system. Duo supports several second-factor options — see the Recommended Authentication Methods section above. Pitt Digital recommends phishing-resistant methods (platform authenticators and security keys) for new enrollments.
🔐 Which University services require Duo?
Any service that authenticates through Pitt Passport requires Duo. That includes, but is not limited to:
- my.pitt.edu, Pitt email and the full Microsoft 365 suite (Outlook, Teams, OneDrive)
- Canvas, Panopto, and other learning tools
- PeopleSoft, Pitt Worx, PRISM, PittPAY
- Box cloud storage, DocuSign (Pitt eSignature)
- LinkedIn Learning, LabArchives, Tableau, the Pitt App Store
- EZproxy for licensed library resources
- The University VPN (PittNet VPN — GlobalProtect)
You do not need Duo to log into a Windows or Mac workstation locally. Duo is only invoked when you reach a Pitt Passport prompt.
⏱ How often will I be prompted for Duo?
When you select Yes, this is my device at a Duo prompt, Pitt Passport remembers that device for 24 hours and won't prompt you for Duo again during that window. If you close your browser, switch browsers, use a different device, or don't choose to be remembered, you'll be prompted again.
Individual applications behind Pitt Passport enforce their own session timeouts and security requirements on top of this, and these are often shorter. For example, an administrative finance or HR application may require re-authentication after a period of inactivity even though your Pitt Passport session is still valid. The stricter requirement wins, so expect Duo prompts more frequently in higher-sensitivity applications regardless of when you last authenticated. Only choose to be remembered on a device you personally control — never a shared or public computer.
🌐 Can I use a commercial VPN with my Pitt account?
When you connect to University resources, use PittNet VPN (GlobalProtect) rather than a third-party or commercial VPN.
A commercial VPN routes your traffic through an exit server somewhere else, so your logins arrive from an IP address — and often a country — that isn't yours. That causes two problems:
- You may not recognize your own activity. Login and device notifications will show an unfamiliar location, making it harder to tell a real compromise from your own VPN session.
- It can trigger security alerts. A sudden jump in location looks like atypical travel or impossible travel to Pitt's monitoring, and these are among the at-risk signals Pitt Digital Security investigates. Frequent commercial-VPN use generates noise that can delay response to genuine threats.
PittNet VPN (GlobalProtect) is the supported way to reach University systems securely from off campus.
Note: This is separate from the OFAC block.
No VPN — Pitt or commercial — is a supported way around Duo's OFAC location restrictions. See the International Travel & OFAC Restrictions section below.
Devices & Enrollment
Recommended: enroll at least two authentication methods.
A second method turns a lost-phone emergency into a 30-second self-service fix. Strong combinations: platform authenticator (Touch ID / Windows Hello) + security key; smartphone (Duo Push) + security key; or two devices each with a platform authenticator.
📱 I got a new phone — what do I need to do?
Same phone number, new device: reactivate the Duo Mobile app on the new phone. Follow the New Device for an Already Registered Number steps in Setting Up Multifactor Authentication with Duo — install Duo Mobile, go to accounts.pitt.edu, select I got a new phone, then Text me a link, and open the link on the new phone.
New phone number: add the new phone as a new device using the New Device and a New Number steps in the same article, then remove the old device (Remove a Registered Device).
If you no longer have access to the old device and didn't enroll a backup, call the Help Desk at 412-624-HELP (4357).
Tip: Duo Restore.
If you set up Duo Restore (backup) on your old phone before switching, you may be able to restore your Duo accounts to the new phone without re-enrolling. See Duo's
Duo Restore guide.
📵 I lost my phone — what should I do? Act Quickly
If you have a backup device registered:
- Sign in to accounts.pitt.edu and authenticate with your backup device.
- Select Login & Security, then Add/Manage Pitt Passport Devices.
- Select Edit next to the lost device, then Delete to remove it.
- Optionally, enroll a replacement device.
For detailed steps, see Remove a Registered Device in Setting Up Multifactor Authentication with Duo.
If you do not have a backup device: call the Technology Help Desk at 412-624-HELP (4357). After verifying your identity, an analyst will remove the lost device and walk you through enrolling a new one.
📞 I don't have (or don't want to use) a smartphone. What are my options?
You don't need a personal smartphone to use Duo. Pitt Digital recommends these phishing-resistant alternatives:
- Platform authenticator — Touch ID, Face ID, Windows Hello, or Android biometrics on a device you already use (laptop, desktop, tablet). Request enablement via the Duo Multifactor Authentication ticket.
- Hardware security key (roaming authenticator) — YubiKey, Feitian, or other FIDO2 keys. Portable, durable, and not tied to a phone or phone number.
- Tablet running the Duo Mobile app — works the same as a smartphone for push notifications and passcode generation.
Warning: Avoid landline and SMS as your authentication method.
Landline ("Call Me") and SMS passcodes are vulnerable to SIM-swap, call-forwarding, and phishing attacks. They are being phased out as Pitt aligns with phishing-resistant MFA guidance. If you currently rely on landline or SMS, please add a platform authenticator or security key as soon as possible.
See Choosing and Using Duo Authentication Methods for setup details and requirements (browser compatibility, supported key models, etc.).
☎ Can I use my office landline for Duo?
Pitt Digital does not recommend landline as a Duo factor, and the "Call Me" option is being phased out in favor of phishing-resistant methods. A shared landline (lab, front desk, conference room) is especially problematic: anyone with physical access to the phone could approve a login intended for you.
Use one of these instead:
- Platform authenticator on your assigned workstation — Touch ID on Mac, Windows Hello on PC, or Face ID on your tablet.
- Hardware security key kept on your person, in a locked drawer, or on your keyring.
- Personally assigned tablet running Duo Mobile.
👆 Can I use Touch ID, Face ID, or Windows Hello?
Yes. Duo calls this Platform Authentication. Because it changes your account's available factors, it must be enabled on your account by the Pitt Digital Security team.
To request it, submit a Duo Multifactor Authentication ticket. For background on platform authentication at Pitt, see Platform Authentication for DUO.
Troubleshooting
🔔 I'm not receiving push notifications. What do I do?
Most push delivery problems are caused by network conditions or notification settings on the phone. Try these steps in order:
- Open the Duo Mobile app and pull down to refresh. This pulls pending requests directly from Duo's service and bypasses the push channel entirely. This is the fastest fix.
- Check notification permissions. On iOS: Settings → Notifications → Duo Mobile → Allow Notifications. On Android: Settings → Apps → Duo Mobile → Notifications.
- Disable Do Not Disturb / Focus modes while you're authenticating.
- Toggle airplane mode on and off to refresh the network connection.
- Switch between Wi-Fi and cellular data — phones sometimes lose track of which channel is healthy.
- Verify date and time are set to automatic / network time. Manual clocks cause silent failures.
- Generate a passcode manually. Open Duo Mobile, tap the key icon next to your Pitt account, enter the 6-digit code at the Duo prompt. This works even with no internet at all.
If problems persist, run Duo's built-in push troubleshooter (iOS Duo Mobile v3.32+): in Duo Mobile, tap Edit, tap your Pitt account, then Get Started under "Missing Notifications?"
Reference: Duo Common Issues.
⏳ I get "Activation Link Expired" when scanning the QR code.
Activation links expire shortly after they're generated, so you'll need a fresh one. Follow the New Device for an Already Registered Number steps in Setting Up Multifactor Authentication with Duo:
- Install (or reinstall) the Duo Mobile app on your phone.
- Go to accounts.pitt.edu and authenticate with your backup method.
- Select I got a new phone, then Text me a link.
- Open the texted link on your phone and tap Save, then select Continue on your computer.
If you have no other registered method and can't authenticate, call the Help Desk at 412-624-HELP (4357).
🚫 I got a Duo push or phone call when I wasn't logging in. Possible Compromise
Critical: Deny the prompt and report it as fraud immediately.
An unexpected Duo prompt almost always means someone has your password and is actively trying to use it. Approving the request gives them access to your account.
- Tap "Deny" on the push prompt (or hang up the call).
- When asked "Was this you?", choose "It wasn't me" / report as fraud. This automatically alerts Pitt Digital Security and flags the suspicious activity on your account.
- Call the Technology Help Desk at 412-624-HELP (4357) to confirm the report and request next steps.
- Change your Pitt password as soon as you're off the phone.
Do not approve a Duo prompt that you did not initiate — even if it arrives repeatedly. "MFA fatigue" attacks rely on users approving by accident or to make the prompts stop. For the full reporting steps, including the phone-call keypad codes, see Choosing and Using Duo Authentication Methods.
📧 I got an email or Duo notification that a device was added or removed.
Duo notifies you any time a device is added to or removed from your account, or when a bypass code is generated, so you can confirm the change was really you. The notification arrives by email and/or as a push in Duo Mobile.
- If you made the change, confirm it (Yes, this was me).
- If you did not make the change, report it (No, this wasn't me) and call the Help Desk at 412-624-HELP (4357) immediately.
For what the notification looks like and how to respond — including shared or departmental accounts — see Why did I receive an email or Duo Mobile notification from Duo?
International Travel & OFAC Restrictions
Duo is a U.S.-based service and is required by federal law to block authentications originating from countries and regions sanctioned by the U.S. Office of Foreign Assets Control (OFAC). This block is enforced at the network level by Duo — the University cannot grant exceptions.
⚠ Duo is blocked in OFAC-sanctioned regions
If your device's IP address originates in any of the regions below, every Duo authentication attempt will fail with the message "Access denied. Duo Security does not provide services in your current location." This applies to all Duo methods — push, SMS, phone call, and hardware tokens — because the block is based on the access device's IP, not the second-factor method.
|
1
|
Restricted regions change without notice. Because the sanctioned-country list is maintained by the U.S. government and updated by Duo, this article does not reproduce it. Check the current list in Duo's OFAC Restrictions article before you travel. Blocked attempts appear in the Duo Authentication Log as "Restricted OFAC location." |
|
2
|
The Pitt VPN will not get you around it. The block is based on the origin IP of your access device. PittNet VPN (GlobalProtect) uses split-tunneling, so your traffic to Duo still leaves from your local — sanctioned — IP address, and the block still applies. A commercial full-tunnel VPN that exits in a non-sanctioned country can present a different IP to Duo, but using one to defeat OFAC controls may violate U.S. federal law. Do not attempt to circumvent the restriction. |
|
3
|
China and other non-sanctioned countries are not on the OFAC list, but local network conditions may still degrade Duo service. Bring a hardware token and verify access before you depart. |
|
4
|
If you must travel to a restricted region, contact Pitt Digital Security and the Office of International Services before you go. Loss of access to email, VPN, Microsoft 365, Canvas, PeopleSoft, and Pitt Worx should be assumed. |
Official Duo reference: Duo MFA: OFAC Restrictions (help.duo.com article 7544) — the authoritative source maintained by Duo Security.
Warning: There is no OFAC exception process.
Duo cannot grant exceptions for individual users or institutions in sanctioned regions. Pitt Digital cannot override the block. Plan around it.
Account Lifecycle
🎓 I recently graduated. Do I still need Duo?
For graduations on or after September 22, 2025: your Duo enrollment carries over to your alumni account, and MFA continues to be required. You will keep authenticating normally with your existing devices.
For graduations before September 22, 2025: your Duo account was purged at the transition to alumni status. You will need to re-enroll a device the next time you sign in to a Pitt Passport service.
🙅 I don't have any of my Duo devices with me and I need to log in.
Call the Technology Help Desk at 412-624-HELP (4357). After verifying your identity, an analyst can issue a temporary bypass code that lets you log in once without a device.
To avoid this situation in the future, enroll multiple authentication methods on your account. Pitt Digital recommends pairing a platform authenticator (Touch ID, Face ID, Windows Hello, Android biometrics — request enablement via a Duo Multifactor Authentication ticket) with a hardware security key (YubiKey, Feitian) for a backup that doesn't depend on your phone, your phone number, or cell service. See Platform Authentication for DUO and Choosing and Using Duo Authentication Methods.
Official Duo Documentation
Duo Security publishes user-facing documentation that is updated continuously. When in doubt, the references below are authoritative.
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Lockouts, device removal, push problems, bypass codes |
Pitt Digital Security Via Help Desk
Suspected account compromise, Platform Authentication requests, OFAC-region travel guidance |
Self-Service accounts.pitt.edu
Add, reactivate, rename, or remove devices |