Setting Up Multifactor Authentication with Duo

Overview

Are you new to Pitt and need to set up Duo for the first time? Have you been using Duo, but just got a new phone and need to re-register? Do you want to register an additional device to use with Duo? Or have you been using Duo and suddenly it stopped working? Follow this guide and you'll be using Duo in no time!

Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring two “factors” to verify your identity when you log in to a service: something you know (such as your password) and something only you have (such as your mobile phone, on which you will receive a login confirmation notice).

New: Phishing-resistant sign-in methods are now available.
Duo Push is a good starting point, but passkeys and FIDO2 security keys offer stronger protection because they are bound to the real Pitt Passport site and cannot be intercepted by phishing pages. We recommend enrolling at least one phishing-resistant method in addition to Duo Mobile. See Strengthen Your Account with Passkeys and Security Keys below, or visit Understanding Duo Authentication Device Options for a full comparison of all available methods.

Detailed Steps to Register Devices

First Time User [New User]

To help keep your account secure, you’ll be using Duo Mobile for multifactor authentication. Start by choosing the device or method you'd like to register as your primary way to authenticate. For help deciding, refer to our Understanding Duo Authentication Device Options. If you choose to use a mobile phone, follow the steps in this First Time User guide:

Open a web browser on your computer and browse to Accounts Self-Service.
Type your username and password in the appropriate fields, and select Submit.
Select Get Started.
On the "First, Add a device" selection screen, select Duo Mobile.
Type your phone number in the text box, area code first, like the example shows, and select Continue.
Verify that you've entered the correct phone number and select the Yes, it's correct button.
Install the Duo Mobile app from your device's app store. Be sure that the name of the app is Duo Mobile and not Duo Lingo. Select Next when you have done so.
Open the Duo Mobile app on your mobile phone or device and tap the Set Up Account button, then tap Use a QR code. Point your device's camera at your computer screen to scan the QR code.
On your phone, tap Save.
Go back to your computer and select Continue.
Select I don't want to add more devices to complete the process.

New Device for an Already Registered Number [Existing User]

Do you have a new phone that's using your old number and you need to reactivate the Duo Mobile app?

Begin by installing the Duo Mobile app from your device's app store. Be sure that the name of the app is Duo Mobile and not Duo Lingo.
Open a web browser on your computer and browse to Accounts Self-Service — Manage My Devices.
Type your username and password in the appropriate fields, and select Submit.
Select the I got a new phone link.
Select the Text me a link button.
Check your phone's text messaging app and select the link sent from Duo.
The link will open in Duo Mobile. Tap Save.
Go back to your computer, and select Continue to complete the process.

New Device and a New Number [Existing User]

Do you have a new phone and a new phone number as well?

Begin by installing the Duo Mobile app from your new device's app store. Be sure that the name of the app is Duo Mobile and not Duo Lingo.
Open a web browser on your computer and browse to Accounts Self-Service — Manage My Devices.
Type your username and password in the appropriate fields, and select Submit.
Select the I got a new phone link.
Select the I got a new number button.
On the New number? That'll take a few more steps screen, select Continue.
Enter your new phone number and select Text me a link.
Check your phone's text messaging app and select the link sent from Duo.
The link will open in Duo Mobile. Tap Save.
Go back to your computer, and select Continue to complete the process.

If you don't have access to the old device and are stuck, please give our Technology Help Desk a call at 412-624-HELP (4357). We'll verify your account and assist with registering the new device!

Registering an Additional Device [Existing User]

Use the following steps to register an additional device with Duo.

Begin by installing the Duo Mobile app from your device's app store. Be sure that the name of the app is Duo Mobile and not Duo Lingo.
Open a web browser on your computer and log into Accounts Self-Service — Manage My Devices. You'll need to authenticate through Duo twice. Once to login to the Accounts Administration page and a second time to access the device management page.
Select Add a device to add an additional device.
On the Select an Option screen, select Duo Mobile.
Enter your phone number and select Continue. (If you are using a tablet, select "I have a tablet.")
Verify that you've entered the correct phone number.
You will be prompted to download Duo Mobile, which you completed in step 1. Select Next.
Using your phone or tablet, scan the QR code that the website generates for you. If you don't want to use the QR code, select to have the activation link emailed to you. Make sure to enter an email address you have access to on your phone. If you use the emailed link, skip the steps below.
You will be prompted to name your Duo account. Tap Next.
Keep the default account name (University of Pittsburgh) or choose a different name, then tap Save.
Go back to your computer and select Continue.
You can now log in using the new device. When you log in to a service via Pitt Passport, the Duo prompt will appear. Select Other Options, then Send a Duo Push to the device that you added.

Fix Existing Device [Existing User]

One of the most common issues with the Duo Mobile app is the failure to receive push notifications. This typically occurs when the app and your device are not properly syncing. To resolve this, try the following steps:

Log in to any University of Pittsburgh service that uses Duo and select Send me a Push.
If the notification does not appear immediately, manually open the Duo Mobile app. In most cases, the notification will be waiting within the app.
This usually re-establishes proper communication between the app and your device. If the issue persists, restarting your device is recommended.

If the app indicates that your Duo account is "disconnected" or "disabled," follow the instructions for Registering a New Device for an Already Registered Number. During the Duo login process, select the Call Me option (you may need to tap Cancel first if a push is sent automatically).

If none of these steps resolve the issue, please contact the Technology Help Desk at 412-624-HELP (4357) for further assistance. We’re happy to help!

Remove a Registered Device [Existing User]

If you lose a device that you have registered with Duo Mobile, or if you no longer use it, you should remove it.

Log in to the Manage My Account service via myPitt (my.pitt.edu).
Type your username and password into the appropriate fields and select Submit. Multifactor authenticate (If you have lost your primary device and have not registered a backup, you can call the Technology Help Desk for a bypass code).
Select Login & Security then select Add/Manage Pitt Passport Devices from the drop-down menu.
Multifactor authenticate via your preferred method.
Select Edit next to the device you want to remove.
Select Delete.

Strengthen Your Account with Passkeys and Security Keys

Duo Push protects your account, but it can still be tricked by sophisticated phishing attacks that relay push approvals in real time. Passkeys and FIDO2 security keys are phishing-resistant by design — they cryptographically verify that you are signing in to the real Pitt Passport site, not a look-alike. Enrolling at least one of these methods significantly raises the bar for anyone trying to compromise your account.

There are three ways to add phishing-resistant authentication to your Pitt account:

Platform Authenticators (Built Into Your Device)

Platform authenticators use biometrics or a device PIN you already have — no additional hardware to buy:

Apple devices: Touch ID or Face ID
Android devices: Fingerprint, face unlock, or screen lock
Windows devices: Windows Hello (fingerprint, facial recognition, or PIN)

Because a platform authenticator is tied to the device it is registered on, losing that device means losing that factor. Always pair it with a second method.

Note: Platform authenticators require enablement by Pitt Digital Security.
Before you can register a platform authenticator, submit a Duo Multifactor Authentication request to have the option authorized on your account. For detailed requirements by device type, see Understanding Duo Authentication Device Options.

FIDO2 Security Keys (Physical Roaming Authenticators)

A FIDO2 security key is a small USB or NFC device you carry on a keychain. It works on any computer, requires no network connection or battery, and is the strongest phishing-resistant factor available. When you tap or press the key, it signs a challenge that proves you are on the legitimate Pitt Passport site — a phishing page cannot replicate this.

Recommended: FIDO2-certified keys such as those from Yubico (YubiKey 5 series) or Feitian.
Where to purchase: Available on CDW-G, Amazon, and most major electronics retailers, typically starting around $25–$55. Departments may choose to fund keys — check with your business manager. Pitt does not provide security keys to users.
Tip: Choose a key with both USB-C and NFC so it works with laptops and phones alike. Consider purchasing two so you have a backup stored separately.

Important: U2F-only keys are not supported.
Older U2F-only security keys (such as the YubiKey NEO-n) cannot be used with Duo's Universal Prompt. Ensure your key is FIDO2/WebAuthn compatible. For supported browsers and detailed requirements, see Understanding Duo Authentication Device Options.

Store and Sync Passkeys with 1Password

The University supports 1Password, which can serve as both your password vault and your passkey manager. Passkeys stored in 1Password sync across all your devices — Mac, Windows, iOS, and Android — so if a device is lost or wiped, your passkeys are recoverable the moment you sign in to 1Password on another device. This solves the biggest limitation of platform authenticators: being locked to a single device or ecosystem.

Tip: Save passkeys in 1Password for cross-device access.
When a website or app offers to create a passkey, 1Password can store it in your vault instead of locking it to a single device. This is especially valuable if you use multiple computers or travel frequently. See Passkeys in 1Password for supported sites and setup details.

Note: Get your 1Password account.
Students receive 1Password at no cost — see Getting Started with 1Password for Students.
Faculty and staff can request a 1Password account through the Services Portal.
For setup instructions, downloads, and browser extensions, see Getting Started with 1Password.

How These Methods Compare

Authentication methods compared by security and resilience
Consideration	Platform Authenticator	FIDO2 Security Key	1Password Passkey	Duo Push	SMS / Phone Call
Phishing-resistant	YES	YES	YES	PARTIAL	NO
Works offline	YES	YES	YES	PASSCODE ONLY	NO
Survives device loss	PARTIAL	YES	YES	NO	PARTIAL
Syncs across devices	ECOSYSTEM ONLY	NO	YES	NO	N/A
Nothing to purchase	YES	NO	YES	YES	YES

How to Enroll a Passkey or Security Key

Sign in to Pitt Passport from a trusted network.
Navigate to Security Info and select Add sign-in method.
To register a FIDO2 key, choose Security key. To register Touch ID, Face ID, Android biometrics, or Windows Hello, choose Passkey.
Follow the on-screen prompts. You will verify with your current method first.
We recommend enrolling at least two methods (for example, a platform authenticator on your laptop and a physical security key as backup) so that losing one device does not lock you out.
Test each method by signing out and signing back in, selecting the new authenticator at the prompt.

If you travel internationally, passkeys and security keys are especially important — they work without cellular service or network connectivity. See Technology Guidelines and Tips for International Travel for travel-specific MFA guidance.

If you need help enrolling a passkey or security key, contact the Technology Help Desk at 412-624-HELP (4357).

Additional Information

Did You Know?

You can still use Duo even when you don't have wireless coverage or cell service. If you have Duo set to automatically send a push notification or call your device, select Cancel at the bottom of the webpage. Next, select the green Enter a Passcode button on the webpage. Open the Duo app and tap University of Pittsburgh to generate a passcode, enter it on the webpage, and select the green Log In button.

When possible, we encourage you to use the “Push” option because it is the fastest, most efficient authentication method. In addition, it is also the most cost-efficient option for the University.

If you do not have a smart phone, there are alternative options you can use!

Don't Approve Notifications Unless You're Actively Logging In!

Did you receive a push notification or phone call when you did not try to log in to a service?
Deny the request, report it as fraudulent, and report it to the Technology Help Desk at 412-624-HELP (4357).

Need Emergency Access?

Call the Technology Help Desk at 412-624-HELP (4357) for an emergency bypass code.

0 reviews

Print Article

Updating...