Understanding Alternative Authentication Devices for Duo

Duo Token Security Key ID Landline Touch

Overview

Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring two “factors” to verify your identity when you log in to a service: something you know (such as your password) and something only you have (such as your mobile phone, on which you will receive a login confirmation notice).

When possible, we encourage you to use Duo Push on your compatible smartphone, tablet, or Apple Watch because it is the fastest, most efficient, and most secure authentication method.

Tip: You can also generate a passcode at any time from within the Duo Mobile app, even without a WiFi or cellular data connection. Just click on the University of Pittsburgh account drop-down menu and a code will be generated for you.

If the Duo Mobile application is not a practical authentication option for your situation, or if you are looking to register a second authentication device, consider the following alternatives:

Alternative Authentication Options

Cell Phone or Landline

Duo works with all cell phones and landlines by supporting authentication via phone call and SMS passcodes.

Hardware Token

Hardware tokens are the most basic way of authenticating and are not recommended for most users.

Only Pitt-issued hardware tokens can be used with Duo to access Pitt resources.

The Drop-In Support Desk offers Duo-branded OneSpan Digipass Go6 hardware tokens to individual users whose circumstances have been deemed appropriate.

Examples of appropriate circumstances include:

International travel
Shared access to sponsored/resource accounts
Unreliable phone access or service
Secure work environments
ADA compliance.

If you feel a hardware token makes sense for your situation, contact the Technology Help Desk or stop by a Drop-In Support Desk location with your Panther Card (Pitt-issued ID).

Departments or groups interested in medium-to-large scale deployments (12 or more) of Duo hardware tokens should contact the Technology Help Desk.

While it is STRONGLY recommended to register more than one device or method, hardware tokens will not be issued as a "just-in-case" backup authentication method outside of appropriate circumstances. If you are interested in a hardware token but do not feel that your circumstances would be deemed appropriate, you may want to consider a security key.

Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. You can attempt to resync by following these instructions (the Pitt Hardware Tokens are "HOTP" devices). If you need assistance with this or another issue with a Duo hardware token, bring it to a Drop-In Support Desk location.

Security Key

Duo supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience you're already used to with Duo Push.

What are Security Keys?

A security key plugs into your USB port and when tapped or when the button is pressed it sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

Security Key Requirements

In order to use a security key with Duo, make sure you have the following:

A supported browser (Chrome 70, Firefox 60, Safari 13 or later), or Microsoft Edge 79 or later. Support for authentication is limited to web applications that show Duo's inline browser prompt.
An available USB port.
A supported USB security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. Duo does not support U2F-only security keys (like the Yubikey NEO-n). Pitt does not provide security keys to users.

Platform Authenticators

To request Platform Authentication to be enabled as an option, submit a ticket to our Security team to have it authorized on your account by clicking this link: Duo Multifactor Authentication Ticket.

Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics.

Touch ID on Mac

In order to use Touch ID with Duo, make sure you have the following:

A MacBook Pro, MacBook Air, or Magic Keyboard with a Touch ID button.
A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
A supported browser: Safari or Chrome. Refer to the Duo browser support table.
iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Touch your Mac's Touch ID sensor when prompted to log in to the application. If you aren't able to access the Touch ID sensor (such as when you close and dock your laptop), then you can choose to type in your Mac login password instead to verify. If you need to cancel a Touch ID authentication in progress, click or tap the cancel option shown by your browser, outside of the Duo Universal Prompt.

Face ID or Touch ID on an iPhone or iPad

In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:

An iPhone or iPad that supports Face ID or Touch ID.
Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Depending on the option your device supports, you'll either scan your face to use Face ID while logging in, or you'll scan your fingerprint instead to use Touch ID.

Windows Hello

In order to use Windows Hello with Duo, make sure you have the following:

A device running Windows 10 or later.
Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
A supported browser: Chrome, Edge, or Firefox. Refer to the Duo browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition to log into Duo.

Android Biometrics

In order to use Android Biometrics with Duo, make sure you have the following:

An Android device that supports biometrics, like fingerprint or face unlock.
Facial or fingerprint unlock set up on that device. Go to Settings → Security to change your unlock settings. Refer to the Google support articles Unlock your Pixel phone with your fingerprint and Unlock your Pixel phone with your face, the Samsung articles Set up and use the fingerprint sensor on your Galaxy phone and Use Facial recognition security on your Galaxy phone, or your device manufacturer's support site for examples of how to do this.

Follow your device's prompt to scan your fingerprint or use facial recognition to log into Duo.

0 reviews

Print Article