Body
Duo is the multifactor authentication (MFA) service that protects every Pitt Passport login. This article answers the most common questions about enrollment, day-to-day use, lost or replaced devices, push-notification troubleshooting, and international travel. Pitt Digital recommends phishing-resistant methods — platform authenticators (Touch ID, Face ID, Windows Hello) and security keys (YubiKey, Feitian) — over older options like SMS and phone calls. For an overview of every supported method, see Understanding Duo Authentication Device Options. For enrollment, see Setting Up Multifactor Authentication with Duo. For lockout recovery, see What Happens if I Become Locked Out of Duo?
Quick Actions
|
✓ MANAGE YOUR DEVICES
accounts.pitt.edu
Add a new phone, reactivate Duo Mobile, rename or remove a device, or set your default authentication method.
Open Account Management →
|
LOCKED OUT
Call the Technology Help Desk
If you've lost access to every registered device, the Help Desk can remove the lost device and walk you through registering a replacement.
412-624-HELP (4357)
|
Recommended Authentication Methods
Not all MFA methods are equal. Modern Duo factors based on the FIDO2 / WebAuthn standard cryptographically bind your login to the real Pitt Passport site, making them resistant to phishing, adversary-in-the-middle attacks, and credential-replay. Older methods (SMS, phone call, hardware OTP tokens) can be intercepted, SIM-swapped, or relayed through a fake login page.
Authentication methods ranked by phishing resistance
| Tier |
Method |
Why |
| ✓ PREFERRED |
Platform authenticator
Touch ID, Face ID, Windows Hello, Android biometrics |
Phishing-resistant (FIDO2/WebAuthn). Built into the device you already use. Nothing extra to carry. Request enablement. |
| ✓ PREFERRED |
Roaming authenticator (security key)
YubiKey, Feitian, other FIDO2 keys |
Phishing-resistant. Portable across devices. Excellent backup method. Works in environments where biometrics aren't available. (Pitt does not supply keys; you purchase your own.) |
| ACCEPTABLE |
Duo Push
Duo Mobile app on smartphone or tablet |
Convenient and widely used. Vulnerable to MFA-fatigue and social-engineering attacks if users approve unexpected prompts. Always verify the prompt was initiated by you. |
| ⚠ DISCOURAGED |
Phone call ("Call Me") |
Vulnerable to SIM-swap attacks and call forwarding. Will be phased out in favor of stronger methods. Avoid for new enrollments. |
| ⚠ DISCOURAGED |
SMS passcodes |
Same SIM-swap and interception risks. Codes can be phished through fake login pages. Will be phased out. Avoid for new enrollments. |
Warning: Currently using SMS or phone-call as your only method?
Add a platform authenticator or security key to your account now. SMS and phone-call factors will be phased out as Pitt aligns with federal guidance on phishing-resistant MFA. See
Understanding Duo Authentication Device Options for setup details.
Note: Register at least two devices.
A backup method (a second phone, tablet, or a hardware security key) is the single most important thing you can do to avoid a lockout. There is no limit to the number of devices you can register.
The Basics
Select any question below to expand the answer.
❓ What is multifactor authentication?
Multifactor authentication (MFA) adds a second verification step to your login — after you enter your username and password, you confirm the login on a device you control. This prevents unauthorized access even if your password is stolen or guessed.
At Pitt, MFA is required for any service that uses Pitt Passport, the University's single sign-on system. Duo supports several second-factor options — see the Recommended Authentication Methods section above. Pitt Digital recommends phishing-resistant methods (platform authenticators and security keys) for new enrollments.
🔐 Which University services require Duo?
Any service that authenticates through Pitt Passport requires Duo. That includes (non-exhaustive):
- my.pitt.edu, Pitt email and the full Microsoft 365 suite (Outlook, Teams, OneDrive)
- Canvas, Panopto, and other learning tools
- PeopleSoft, Pitt Worx, PRISM, PittPAY
- Box cloud storage, DocuSign (Pitt eSignature)
- LinkedIn Learning, LabArchives, Tableau, the Pitt App Store
- EZproxy for licensed library resources
- VPN (PulseSecure / GlobalProtect)
You do not need Duo to log into a Windows or Mac workstation locally. Duo is only invoked when you reach a Pitt Passport prompt.
⏱ How often will I be prompted for Duo?
Within a single browser session, Pitt Passport remembers your Duo approval for 24 hours. After that, or if you close your browser, switch browsers, or use a different device, you'll be prompted again.
Individual applications protected by Duo enforce their own session timeouts on top of Pitt Passport, and these are often shorter. For example, an administrative finance system or sensitive HR application may require re-authentication after 30 minutes of inactivity even though your Pitt Passport session is still valid. The shorter timeout wins. Expect to see Duo prompts more frequently in higher-sensitivity applications regardless of when you last authenticated.
Devices & Enrollment
Recommended: enroll at least two authentication methods.
A second method turns a lost-phone emergency into a 30-second self-service fix. Strong combinations: platform authenticator (Touch ID / Windows Hello) + security key; smartphone (Duo Push) + security key; or two devices each with a platform authenticator.
📱 I got a new phone — what do I need to do?
Same phone number, new device: Reactivate Duo Mobile from accounts.pitt.edu. You'll need to complete a Duo prompt on your backup device first. Select Device Options next to the phone you're replacing, then Reactivate Duo Mobile, and scan the QR code with the Duo Mobile app on the new phone.
New phone number: Add the new phone as a new device, then remove the old one. Full instructions in Duo's official guide: Add a New Device — Duo User Guide.
If you no longer have access to the old device and didn't enroll a backup, call the Help Desk at 412-624-HELP (4357).
Tip: Duo Restore.
If you set up Duo Restore (backup) on your old phone before switching, you may be able to restore your Duo accounts to the new phone without re-enrolling. See Duo's
Duo Restore guide.
📵 I lost my phone — what should I do? Act Quickly
If you have a backup device registered:
- Log in to accounts.pitt.edu using your backup device.
- Select Device Options next to the lost phone.
- Select the trash icon to remove it from your account.
- Optionally, enroll a replacement device.
If you do not have a backup device: call the Technology Help Desk at 412-624-HELP (4357). After verifying your identity, an analyst will remove the lost device and walk you through enrolling a new one.
Duo's official guidance for lost phones is summarized at guide.duo.com/common-issues.
📞 I don't have (or don't want to use) a smartphone. What are my options?
You don't need a personal smartphone to use Duo. Pitt Digital recommends these phishing-resistant alternatives:
- Platform authenticator — Touch ID, Face ID, Windows Hello, or Android biometrics on a device you already use (laptop, desktop, tablet). Request enablement via the Duo Multifactor Authentication ticket.
- Hardware security key (roaming authenticator) — YubiKey, Feitian, or other FIDO2 keys. Portable, durable, and not tied to a phone or phone number.
- Tablet running the Duo Mobile app — works the same as a smartphone for push notifications and passcode generation.
Warning: Avoid landline and SMS as your authentication method.
Landline ("Call Me") and SMS passcodes are vulnerable to SIM-swap, call-forwarding, and phishing attacks. They are being phased out as Pitt aligns with phishing-resistant MFA guidance. If you currently rely on landline or SMS, please add a platform authenticator or security key as soon as possible.
See Understanding Duo Authentication Device Options for setup details and requirements (browser compatibility, supported key models, etc.).
☎ Can I use my office landline for Duo?
Pitt Digital does not recommend landline as a Duo factor, and the "Call Me" option is being phased out in favor of phishing-resistant methods. A shared landline (lab, front desk, conference room) is especially problematic: anyone with physical access to the phone could approve a login intended for you.
Use one of these instead:
- Platform authenticator on your assigned workstation — Touch ID on Mac, Windows Hello on PC, or Face ID on your tablet.
- Hardware security key kept on your person, in a locked drawer, or on your keyring.
- Personally assigned tablet running Duo Mobile.
👆 Can I use Touch ID, Face ID, or Windows Hello?
Yes. Duo calls this Platform Authentication. Because it changes your account's available factors, it must be enabled on your account by the Pitt Digital Security team.
To request it, submit a Duo Multifactor Authentication ticket. For background on platform authentication at Pitt, see Platform Authentication for DUO.
Troubleshooting
🔔 I'm not receiving push notifications. What do I do?
Most push delivery problems are caused by network conditions or notification settings on the phone. Try these steps in order:
- Open the Duo Mobile app and pull down to refresh. This pulls pending requests directly from Duo's service and bypasses the push channel entirely. This is the fastest fix.
- Check notification permissions. On iOS: Settings → Notifications → Duo Mobile → Allow Notifications. On Android: Settings → Apps → Duo Mobile → Notifications.
- Disable Do Not Disturb / Focus modes while you're authenticating.
- Toggle airplane mode on and off to refresh the network connection.
- Switch between Wi-Fi and cellular data — phones sometimes lose track of which channel is healthy.
- Verify date and time are set to automatic / network time. Manual clocks cause silent failures.
- Generate a passcode manually. Open Duo Mobile, tap the key icon next to your Pitt account, enter the 6-digit code at the Duo prompt. This works even with no internet at all.
If problems persist, run Duo's built-in push troubleshooter (iOS Duo Mobile v3.32+): in Duo Mobile, tap Edit, tap your Pitt account, then Get Started under "Missing Notifications?"
Reference: Duo Common Issues.
⏳ I get "Activation Link Expired" when scanning the QR code.
Activation links expire shortly after they're generated. To get a fresh one:
- Go to accounts.pitt.edu.
- Complete the Duo prompt using your backup device.
- Select My Settings & Devices (or open the device management panel).
- Select Device Options next to the phone you're activating.
- Select Reactivate Duo Mobile and follow the wizard.
If you do not have a backup device registered, call the Help Desk at 412-624-HELP (4357).
Reference: My Settings & Devices — Duo User Guide.
🚫 I got a Duo push or phone call when I wasn't logging in. Possible Compromise
Critical: Deny the prompt and report it as fraud immediately.
An unexpected Duo prompt almost always means someone has your password and is actively trying to use it. Approving the request gives them access to your account.
- Tap "Deny" on the push prompt (or hang up the call).
- When asked "Was this you?", choose "It wasn't me" / report as fraud. This automatically alerts Pitt Digital Security and flags the suspicious activity on your account.
- Call the Technology Help Desk at 412-624-HELP (4357) to confirm the report and request next steps.
- Change your Pitt password as soon as you're off the phone.
Do not approve a Duo prompt that you did not initiate — even if it arrives repeatedly. "MFA fatigue" attacks rely on users approving by accident or to make the prompts stop.
📧 I got an email or Duo notification that a device was added or removed.
Duo notifies you any time a device is added to or removed from your account. The notification arrives by email (subject line "Device, [name] Added/Removed") and/or as a push in Duo Mobile.
- If you made the change, select Yes, this was me.
- If you did not make the change, select No, this wasn't me and call the Help Desk at 412-624-HELP (4357) immediately. Your administrator is automatically alerted as well.
See also: Why did I receive an email or Duo Mobile notification from Duo about my devices?
International Travel & OFAC Restrictions
Duo is a U.S.-based service and is required by federal law to block authentications originating from countries and regions sanctioned by the U.S. Office of Foreign Assets Control (OFAC). This block is enforced at the network level by Duo — the University cannot grant exceptions.
⚠ Duo is blocked in OFAC-sanctioned regions
If your device's IP address originates in any of the regions below, every Duo authentication attempt will fail with the message "Access denied. Duo Security does not provide services in your current location." This applies to all Duo methods — push, SMS, phone call, and hardware tokens — because the block is based on the access device's IP, not the second-factor method.
|
1
|
Currently restricted regions: Cuba, Iran, North Korea, Sudan, Syria, and the Crimea, Donetsk, Luhansk, and Sevastopol regions of Ukraine. The list is maintained by the U.S. government and can change without notice. |
|
2
|
VPNs do not bypass the restriction. The block is based on the origin IP of the access device. Connecting to a Pitt or commercial VPN from inside a sanctioned region does not work, and attempting to circumvent OFAC rules may violate federal law. |
|
3
|
China and other non-sanctioned countries are not on the OFAC list, but local network conditions may still degrade Duo service. Bring a hardware token and verify access before you depart. |
|
4
|
If you must travel to a restricted region, contact Pitt Digital Security and the Office of International Services before you go. Loss of access to email, VPN, Microsoft 365, Canvas, PeopleSoft, and Pitt Worx should be assumed. |
Official Duo reference: Duo MFA: OFAC Restrictions (help.duo.com article 7544) — the authoritative source maintained by Duo Security.
Warning: There is no OFAC exception process.
Duo cannot grant exceptions for individual users or institutions in sanctioned regions. Pitt Digital cannot override the block. Plan around it.
Account Lifecycle
🎓 I recently graduated. Do I still need Duo?
For graduations on or after September 22, 2025: your Duo enrollment carries over to your alumni account. You will continue to authenticate normally with your existing devices.
For graduations before September 22, 2025: your Duo account was purged at the transition to alumni status. You will need to re-enroll a device the next time you sign in to a Pitt Passport service.
🙅 I don't have any of my Duo devices with me and I need to log in.
Call the Technology Help Desk at 412-624-HELP (4357). After verifying your identity, an analyst can issue a temporary bypass code that lets you log in once without a device.
To avoid this situation in the future, enroll multiple authentication methods on your account. Pitt Digital recommends pairing a platform authenticator (Touch ID, Face ID, Windows Hello, Android biometrics — request enablement via a Duo Multifactor Authentication ticket) with a hardware security key (YubiKey, Feitian) for a backup that doesn't depend on your phone, your phone number, or cell service. See Platform Authentication for DUO and Understanding Duo Authentication Device Options.
Official Duo Documentation
Duo Security publishes user-facing documentation that is updated continuously. When in doubt, the references below are authoritative.
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Lockouts, device removal, push problems, bypass codes |
Pitt Digital Security Via Help Desk
Suspected account compromise, Platform Authentication requests, OFAC-region travel guidance |
Self-Service accounts.pitt.edu
Add, reactivate, rename, or remove devices |