Understanding Duo Authentication Device Options

Duo Token Security Key ID Landline Touch

Overview

Pitt Passport supports several authentication methods beyond Duo Push, including phishing-resistant options like passkeys, platform authenticators, and FIDO2 security keys. This article describes every available method, its requirements, and when to use it. For step-by-step setup instructions, see Setting Up Multifactor Authentication with Duo.

Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring multiple “factors” to verify your identity when you log in to a service:

Something you know: A password, PIN, or personal security questions.
Something you have: A mobile phone, security key, or smart card that generates or receives a one-time code or serves as a physical key.
Something you are: Biometric authentication such as fingerprints or facial recognition.

Recommendation: Enroll at least one phishing-resistant method.
Platform authenticators, FIDO2 security keys, and 1Password passkeys are all phishing-resistant — they cryptographically verify you are signing in to the real Pitt Passport site, not a look-alike. We recommend enrolling at least one of these methods in addition to Duo Push. See the comparison table below to decide which is right for you.

How These Methods Compare

Use this table to decide which methods to enroll. We recommend having at least two methods from different categories so that losing one device does not lock you out.

Authentication methods compared by security, convenience, and resilience
Consideration	Platform Authenticator	FIDO2 Security Key	1Password Passkey	Duo Push	SMS / Phone Call
Phishing-resistant	YES	YES	YES	PARTIAL	NO
Works offline	YES	YES	YES	PASSCODE ONLY	NO
Survives device loss	PARTIAL	YES	YES	NO	PARTIAL
Syncs across devices	ECOSYSTEM ONLY	NO	YES	NO	N/A
Nothing to purchase	YES	NO	YES	YES	YES

Authentication Options

Select a section below to expand its requirements and setup details.

Platform Authenticators (Touch ID, Face ID, Windows Hello, Android Biometrics) PHISHING-RESISTANT

Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Because they use biometrics or a device PIN, there is nothing to carry separately — but because they are tied to a specific device, losing that device means losing that factor.

Note: Platform authenticators require enablement by Pitt Digital Security.
Before you can register a platform authenticator, submit a Duo Multifactor Authentication request to have the option authorized on your account.

Touch ID on Mac

Requirements:

A MacBook Pro, MacBook Air, or Magic Keyboard with a Touch ID button.
A fingerprint enrolled in Touch ID (set up Touch ID at Apple Support).
A supported browser: Safari or Chrome. Refer to the Duo browser support table.
iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Touch your Mac's Touch ID sensor when prompted to log in. If you cannot access the Touch ID sensor (such as when you close and dock your laptop), you can type your Mac login password instead. If you need to cancel a Touch ID authentication in progress, select the cancel option shown by your browser, outside of the Duo Universal Prompt.

Face ID or Touch ID on iPhone or iPad

Requirements:

An iPhone or iPad that supports Face ID or Touch ID.
Face ID or Touch ID already set up on the device. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Depending on the option your device supports, you will either scan your face to use Face ID or scan your fingerprint to use Touch ID when logging in.

Windows Hello

Requirements:

A device running Windows 10 or later.
Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
A supported browser: Chrome, Edge, or Firefox. Refer to the Duo browser support table. Note that Chrome Incognito and Edge InPrivate browsing will not work with Windows Hello, but will work with security keys.

Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition to log in to Duo.

Android Biometrics

Requirements:

An Android device that supports biometrics, such as fingerprint or face unlock.
Fingerprint or facial unlock set up on the device. Go to Settings → Security to change your unlock settings. Refer to the Google support articles Unlock your Pixel phone with your fingerprint and Unlock your Pixel phone with your face, or the Samsung fingerprint setup guide and Samsung facial recognition guide, or your device manufacturer's support site.

Follow your device's prompt to scan your fingerprint or use facial recognition to log in to Duo.

FIDO2 Security Keys PHISHING-RESISTANT

A FIDO2 security key is a small USB or NFC device that plugs into your computer or taps against your phone. When tapped or when the button is pressed, it sends a cryptographically signed response back to Duo that validates your login and proves you are on the legitimate Pitt Passport site. Duo uses the WebAuthn authentication standard (also referred to as “FIDO2”) to interact with security keys.

Requirements

A supported browser: Chrome, Safari, Firefox, or Edge. Refer to the Duo Universal Prompt browser support table for minimum versions.
A FIDO2/WebAuthn-compatible security key. Keys from Yubico (YubiKey 5 series) or Feitian are good options.

Important: U2F-only keys are not supported.
Older U2F-only security keys (such as the YubiKey NEO-n) cannot be used with Duo's Universal Prompt. Ensure your key is FIDO2/WebAuthn compatible.

Where to Purchase

FIDO2-certified keys are available on CDW-G, Amazon, and most major electronics retailers, typically starting around $25–$55. Departments may choose to fund keys — check with your business manager. Pitt does not provide security keys to users.

Tip: Choose a key with both USB-C and NFC so it works with laptops and phones alike. Consider purchasing two so you have a backup stored separately.

1Password Passkeys PHISHING-RESISTANT

The University supports 1Password, which can serve as both your password vault and your passkey manager. Passkeys stored in 1Password sync across all your devices — Mac, Windows, iOS, and Android — so if a device is lost or wiped, your passkeys are recoverable the moment you sign in to 1Password on another device. This solves the biggest limitation of platform authenticators: being locked to a single device or ecosystem.

Tip: Save passkeys in 1Password for cross-device access.
When a website or app offers to create a passkey, 1Password can store it in your vault instead of locking it to a single device. This is especially valuable if you use multiple computers or travel frequently. See Passkeys in 1Password for supported sites and setup details.

Get Your 1Password Account

Students receive 1Password at no cost — see Getting Started with 1Password for Students.
Faculty and staff can request a 1Password account through the Services Portal.
For setup instructions, downloads, and browser extensions, see Getting Started with 1Password.

Duo Push (Smartphone, Tablet, or Apple Watch)

Once you download the Duo Mobile app and enroll your smartphone, Duo Push is the fastest and most convenient authentication method. When you log in to a Pitt Passport service, a push notification appears on your device — tap Approve to authenticate.

Requirements

A smartphone, tablet, or Apple Watch with the Duo Mobile app installed.
An internet connection (Wi-Fi or cellular data) to receive push notifications.

Tip: You can also generate a passcode at any time from within the Duo Mobile app, even without a Wi-Fi or cellular data connection. Open the app and tap University of Pittsburgh to generate a passcode, then enter it when prompted at login.

For setup instructions, see Setting Up Multifactor Authentication with Duo.

SMS Passcode, Phone Call, or Landline BEING PHASED OUT

Pitt's instance of Duo currently supports authentication via phone call and SMS passcodes to cell phones and landlines.

Warning: These methods are being phased out.
SMS and phone-call authentication are not phishing-resistant and are vulnerable to SIM-swapping and interception. They will be replaced by more secure methods. We strongly recommend transitioning to a platform authenticator, security key, or 1Password passkey as soon as possible.

If you currently rely on SMS or phone-call authentication, plan to enroll at least one additional method from the options above before these methods are retired.

How to Enroll

For Duo Push (smartphone setup): Follow the step-by-step instructions in Setting Up Multifactor Authentication with Duo.

For passkeys, platform authenticators, and security keys:

Sign in to Pitt Passport from a trusted network.
Navigate to Security Info and select Add sign-in method.
To register a FIDO2 key, choose Security key. To register Touch ID, Face ID, Android biometrics, or Windows Hello, choose Passkey.
Follow the on-screen prompts. You will verify with your current method first.
Repeat to add additional methods. We recommend enrolling at least two methods from different categories.
Test each method by signing out and signing back in, selecting the new authenticator at the prompt.

If you travel internationally, passkeys and security keys are especially important — they work without cellular service or network connectivity. See Technology Guidelines and Tips for International Travel for travel-specific MFA guidance.

0 reviews

Print Article

Updating...

Understanding Duo Authentication Device Options

Overview

How These Methods Compare

Authentication Options