Multifactor Authentication (Duo)

Duo Security has ended support for the Duo Mobile app for iOS 11 and Android 7 or older operating systems, and devices running these or an older OS are not able to install Duo Mobile from the Apple App Store or the Google Play Store. The app will continue to work on devices using these operating systems that already have the app installed; however, Duo will not be able to troubleshoot any issues that arise and newer features may not function properly. We recommend that users upgrade their mobile device to the latest iOS or Android version.

Quick Links: Key Benefits I Getting Started I More How-to I Videos

Password + Verification = Access Multifactor authentication, provided by Duo Security, adds another layer of security to your online accounts when using Pitt Passport by requiring two “factors” to verify your identity when you log in to a service: something you know (such as your password) and something only you have (such as your mobile phone, on which you will receive a login confirmation notice).

Threats from phishing scams, malicious software, and compromised passwords are constantly increasing and pose an immediate risk to your privacy and the security of University data. In response, the University has added multifactor authentication to all services that use the University’s single sign-on service, Pitt Passport. When accessing a service you will be prompted to enter your username and password on the Pitt Passport login page and complete the login process with multifactor authentication.

Key Benefits

Designed to prevent unauthorized access to your information and University data, including confidential retirement account details, pay statements, and direct deposit information.
Protects your privacy regardless of what type of device you use to access Pitt Passport services and regardless of whether you access Pitt Passport services while connected to the University’s wired network, the University’s wireless network, or an external network.
Provides several options for your second authentication factor, including options that enable you to use multifactor authentication when you are in an area without wireless access or cell phone service (see the Frequently Asked Questions below for details).

Get Started in 3 Easy Steps

Decide what type of device or method to register as your primary means to authenticate. Refer to our Multifactor Authentication Options Guide or check the guidelines below.
Register your devices and/or method (Mobile phone(recommended), tablet (iPad, Nexus 7, etc.), Landline, Security Key (YubiKey, Feitian, etc.), or Touch ID).
*NOTE: It is STRONGLY recommended to register more than one device or method: You will need to authenticate from your backup device/method in the case of a lost or stolen primary device, or if you have upgraded or purchased a new phone and have not registered it for multifactor authentication yet.
A. Log in to the Manage My Account service via My Pitt (my.pitt.edu).
B. Click Login & Security then Add/Manage Pitt Passport Devices and complete the steps.
Note:Watch our video or refer to the detailed instructions below.
Log in to a Pitt Passport service using the device you registered and select Send Me a Push, Call Me, or Enter a Passcode.
Note: See detailed instructions below.

More Ways to Get the Most from Multifactor Authentication

Step 1: Guidelines for Deciding What Type of Devices to Register

You have the option to register a wide variety of devices to use with multifactor authentication. How do you know which device is the best fit? Review our Multifactor Authentication Options help sheet for a quick overview.

You can also consider these general guidelines:

If you have a smartphone, enroll your smartphone for multifactor authentication and select Send me a Push when authenticating. A notification will be sent or "pushed" to your smartphone when you try to log in. Tap Approve to complete the login process.
If you have a regular cell phone, then enroll your phone number for multifactor authentication and select either Call Me or Enter a Passcode when authenticating. Call Me will call your cell phone number and prompt you to press 1 to complete the login process. Enter a Passcode allows you to text a code to you cell phone, which you will then enter to complete the login process.
If you DO NOT have a cell phone, enroll your office phone and/or home phone for multifactor authentication by completing the steps in “Register a Landline (Office Phone)" below. Use Call Me when authenticating.
If you DO NOT have a cell phone or a home phone, then stop by the Walk-In Support Desk at the University Store on Fifth to discuss the use of a hardware token.

Step 2: Register a Device

Register a Mobile Phone, Tablet, or Non-Smartphone

It is recommended that you register a mobile phone for use with multifactor authentication. The instructions below explain how to register an Android phone. The process for registering an iPhone, Windows phone, or BlackBerry are very similar. You can also register a tablet or non-smartphone by following these steps. If you would like to register a landline (for example, an office phone), follow the instructions at the bottom of this page.

Remember, it is STRONGLY recommended to register more than one device or method: You will need to authenticate from your backup device/method in case of a lost or stolen primary device, or if you have upgraded or purchased a new phone).

Please note: Duo apps are only available for iOS (iPhone) versions 9 and above and Android versions 5 and above. See the announcement at the top of this page for scheduled app changes.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Click Start setup.

Duo Start Setup Window

Note: If you have already registered a device, the window shown below will display in place of the Start setup window. Click Add another device.

My Settings & Devices with Add Another Device Highlighted

4. Select Mobile phone and click Continue. (To register a tablet, select Tablet.)

What Type of Device Options (Mobile, Tablet, Landline)

5. Enter your mobile phone number, verify it is the correct phone number by selecting the checkbox, and click Continue.

Phone Number Entry Window

6. Select the type of phone you are registering and click Continue.
Note for registering non-smartphones: If you are registering one of these devices (such as a non-iOS or non-Android smartphone, or a landline), click Other and complete the remaining windows that display in the wizard.

Type of Phone Window (iPhone, Android, BlackBerry, Windows Phone, Other)

7. Install the Duo Mobile App for your phone from the Pitt App Store, Google Play (Android devices), the Apple Store (iOS devices), or the Microsoft Store (Windows devices). When the app is installed, click I have Duo Mobile installed.

Install Duo Mobile for Android Window

8. Open the Duo Mobile app on your phone, tap the plus (+) sign on the app, and use your phone to scan the new barcode on your computer screen.
Note: A sample barcode example is shown below. Do not scan this barcode.

Activate Duo Mobile For Android Window

9. Once the barcode has been scanned, the screen below will display on your mobile phone

Duo Mobile App

and the window below will display on your computer. Click Continue.

Activate Duo Mobile Window

10. Choose what you want to happen when you log in to a service that requires multifactor authentication. By default, you will be prompted to choose an authentication method. If you know you will always want to receive a "push" notification (i.e., an Approve/Deny confirmation screen that displays on your phone), you can save time by selecting Automatically send this device a Duo Push. When you are finished, click Save.

11. It is recommended that you register more than one smartphone, cellphone, tablet, or landline for multifactor authentication. That way, if you do not have your smartphone with you, you will still be able to log in using a tablet or landline. To register a second device, click Add another device on the window above and follow the same steps.

Alternative: Register a Landline (Office Phone)

The steps below explain how to register a landline (for example, an office phone). It is recommended that you register a mobile phone for use with multifactor authentication. To do so, follow the instructions in the previous section.

Notes

If you choose to use a landline, it must be an individual telephone registered to you. You may use your office phone, but you may not register a shared telephone.
If you plan to use a landline as your primary device, remember that you will need to have access to that specific phone whenever you want to log in to a service that is protected by multifactor authentication.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Click Start setup.

Note: If you have already registered a device, the window shown below will display in place of the Start setup window. Click Add another device.

4. Select Landline and click Continue (Keep in mind that a mobile phone is recommended).

5. Enter the phone number, verify that it is the correct number by selecting the checkbox, and click Continue.

6. The landline will display in the list of devices you have registered. If you want to make your landline the primary device you use to log in with multifactor authentication, select it under the drop-down menu titled Default Device.

Step 3: Log In Using Multifactor Authentication

After you have registered a device, you will be prompted to use your device whenever you log in to a protected service. The window below will display when you attempt to log in.

You can authenticate in one of three ways:

Send Me a Push
If you select Send me a Push, a notification will be sent or "pushed" to your mobile phone or tablet. You simply need to tap Approve to complete the login process.

Important: If you receive a login request that you were not expecting, tap Deny to reject the request. You will be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it. You should only click Approve if you were expecting to receive a push notification because you were trying to log in to a service.
Call Me
If you select Call Me, the authentication window will indicate that it is calling your mobile phone or landline. Answer the call. If you were expecting the call, press 1 to complete the login process. If you were not expecting the call, press 9 to report it as fraudulent.
Note: If you are using a landline at UPMC Children's Hospital and are using the Call Me authentication option, you will need to press the # key, then 4, then 1 to approve the authentication request. To deny the authentication request, press the # key, then 4, then 9.
Enter a Passcode
If you select Enter a Passcode, the authentication window will prompt you to enter a code (e.g., a series of numbers). If you do not have a code, click the Text me new codes button and a code will be sent to your mobile phone.

Enter the code in the green box and click Log In.

Tip: You can also generate a passcode at any time from within the Duo Mobile app. Just click on the University of Pittsburgh account drop-down menu and a code will be generated for you.

Note: If you have more than one device registered, you can click the Device drop-down menu to select the device you want to use to authenticate.

Register an Additional Device

*NOTE: It is STRONGLY recommended to register more than one device or method: You will need to authenticate from your backup device/method in the case of a lost or stolen primary device, or if you have upgraded or purchased a new phone and have not registered it for multifactor authentication yet). If you forget or lose your primary device, you can still log in using your second (or third) device. There is no limit to the number of devices you can register.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Click + Add another device.
Complete the steps in the wizard to add another device. See the "Register a Device" section above for details.

Using the Duo "Remember Me" Feature

You can use the Duo "Remember Me" checkbox to reduce the number of times you need to use multifactor authentication in a given day. When you select the Duo “Remember Me” checkbox, you will not need to use Duo multifactor authentication again for 24 hours when accessing web apps through Pitt Passport, as long as you use the same browser, on the same device.

To use the feature, click the Remember me for 24 hours checkbox at the bottom of the Duo authentication screen, then select your authentication method. If the “remember me” box does not appear, click Cancel and then you should be able to select the check box and proceed to authenticate.

Tip: Your Internet browser must allow cookies from the duosecurity.com domain to be stored on your computer in order for the feature to work.

Some services timeout in fewer than 24 hours, which will prompt you to enter your username/password on the Pitt Passport login screen to re-enter, but will not require you to accept a push from Duo.

Replace a Registered Device with a New Device

There may come a time when you want to replace a device that you have already registered. For example, you may upgrade to a new mobile phone while keeping your old phone number. In this case, you will need to "reactivate" Duo Mobile on your new phone by following the steps below.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Log in with multifactor authentication (If you have lost your primary device and have not registered a backup, you can call the 24/7 IT Help Desk for a bypass code).
Click Device Options next to the device you want to reactivate.
Click Reactivate Duo Mobile.

My Settings & Devices with Reactivate Duo Mobile Highlighted

6. Complete the steps in the activation wizard.

Remove a Device You Have Registered

If you lose a device that you have registered with Duo Mobile, or if you no longer use it, you should remove it.

Important: Be sure you have at least one other device registered for multifactor authentication before you remove a device (see "Register an Additional Device") for details.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Log in with multifactor authentication (If you have lost your primary device and have not registered a backup, you can call the 24/7 IT Help Desk for a bypass code).
Click Device Options next to the device you want to remove.
Click Remove Device (red trash can icon).

My Settings & Devices With the Trash Icon Highlighted

7. Click Remove to confirm you want to remove the device.

Set a Default Authentication Preference

If you always want to receive a push notification (or you always want to receive a phone call or enter a passcode), you can save time and set this as your default preference. To do so, complete these steps.

Log in to the Manage My Account service via My Pitt (my.pitt.edu).
Click Login & Security then Add/Manage Pitt Passport Devices.
Log in with multifactor authentication.
Select your default authentication method from the When I log in: options and click Save.

Multifactor Authentication and PittNet VPN (Pulse Secure)

If you use the University’s PittNet VPN service, either through the recommended Pulse Secure client or via the IPSec client, you need to use multifactor authentication for your PittNet VPN connections. This requirement affects all students, faculty, and staff who use the PittNet VPN service.

Note that you must already have registered a device for multifactor authentication before you can complete the steps below.

Using Multifactor Authentication with the Pulse Secure Client

Launch the Pulse client and open your preferred connection.
A new pre-sign in notification displays similar to the one shown below. This page explains your options for using multifactor authentication. Click Proceed to enter your username and password as you normally would and click Connect.
A new window displays a Secondary Password field for multifactor authentication.

In the secondary password field, type either PUSH (for a passcode you generate), PHONE, or SMS. Here is how each option works:
1. Type Push and click Connect. Accept the Push notification on your smartphone or tablet. Note that you must have the Duo Mobile app installed on your smartphone or tablet (if you haven't already installed the app, you can download it from your device's app store).
2. Generate a passcode by tapping the key icon within the Duo Mobile app on your smartphone or tablet or by using your hardware token. Enter the passcode into the Secondary Password field and click Connect.
3. Type phone in the Secondary Password field and click Connect. This calls the default phone number you registered for multifactor authentication. Answer the call and press 1.
4. Type sms in the Secondary Password field and click Connect. Your authentication attempt fails, but you receive a passcode on your registered device. Enter that passcode into the Secondary Password field on the Pulse window with the "Credentials were invalid" message and click Connect again.
  Note: You can also add a number to the end of these factor names if you have more than one device registered. For example, PUSH2 sends a login request to your second phone, PHONE3 calls your third phone, and so forth.
Your connection is established.

Using Multifactor Authentication with the IPSec Client

These instructions assume you are already using the IPSec client on your computer.

Windows

Double click the Cisco IPSec Client on your desktop.
Select the VPN configuration from the Connection Entry list. The VPN connection entry list window displays.
Click the IPSec connection that you use under the Connection Entry column.
Click the Connect button.
Enter your University Computing Account username in the Username field.
In the password field, you have several options to authenticate with multifactor authentication:
- Type your password only. This uses the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password automatically sends a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process.
- If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone. This automatically calls your registered device. Press 1 on your dialpad to authenticate.
- If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
- If you want to receive a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt fails and you receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.
Click the OK button.
A VPN icon displays in your menu bar once the connection is established.
Start the application that requires a secure connection, such as a database client or web application.

Mac

Click the VPN icon in the menu bar. Select Connect PittNet VPN, where PittNet VPN is the name of the IPSec connection that you use.
Enter your University Computing Account username.
In the password field, you have several options to authenticate with multifactor authentication:
- Type your password only. This uses the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password automatically sends a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process.
- If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone. This automatically calls your registered device. Press 1 on your dialpad to authenticate.
- If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
- If you want to receive a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt fails and you receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.
Click the OK button.
A VPN icon displays in your menu bar once the connection is established.
Start the application that requires a secure connection, such as a database client or web application.

Linux

Configure the Virtual Private Network Connection

Use Yum or Aptitude-get to install “vpnc” by typing: $ sudo apt-get install vpnc
Edit the configuration file by typing: $ sudo nano /etc/vpnc/pittvpn.conf
Enter the following configuration settings:
IPSec gateway vpn.pitt.edu
IPSec ID <your department’s group name>
IPSec secret <your department’s pre-shared text key>
Xauth username <your University Computing Account username>

Establish a Secure Connection

Type the following command: $ sudo vpnc pittvpn

Enter Your Password with Duo Multifactor Authentication

A password prompt displays. You have several options to authenticate with multifactor authentication:

Type your password only. This uses the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password automatically sends a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process.
If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone. This automatically calls your registered device. Press 1 on your dialpad to authenticate.
If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
If you want to receive a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt fails and you receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.

What Happens If I Become Locked Out?

If you have made five consecutive unsuccessful login attempts, the window below will display indicating that you are locked out. The lockout is a security feature designed to protect you and your account against unauthorized login attempts. If you see the lockout window below, you have two options:

1. Wait 15 minutes for the lockout to expire and then log in again as you normally would with multifactor authentication.

2. Call the 24/7 IT Help Desk at 412-624-HELP (4357). The Help Desk will ask you to verify your identity over the phone and can unlock your account.

Frequently Asked Questions

Multifactor FAQ

What is multifactor authentication?

Multifactor authentication is an additional layer of security designed to prevent unauthorized access to your information and University data, including confidential retirement account details, pay statements, or direct deposit information. It helps protect your privacy regardless of what type of device you use to access Pitt Passport services (for example, a desktop computer, laptop, tablet, or smartphone) and regardless of whether you access Pitt Passport services while connected to the University’s wired network, the University’s wireless network, or an external network. The University’s multifactor authentication solution provides several options for your second authentication factor, including options that enable you to use multifactor authentication when you are in an area without wireless access or cell phone service.

Will I need to use multifactor authentication to log in to the workstation in my office?

No. Multifactor authentication is required only for services that leverage Pitt Passport, the University’s single sign-on service. You will not need to use multifactor authentication to log in to your workstation.

What do I do if I receive a push notification or phone call when I have not tried to log in to a service?

You should deny the request and report it to the 24/7 IT Help Desk at 412-624-HELP (4357). Someone may have compromised your password and may be trying to use it to log in to services.

Should I register more than one smartphone, cell phone, tablet, or landline?

Yes. It is STRONGLY recommended to register more than one device or method: You will need to authenticate from your backup device/method in the case of a lost or stolen primary device, or if you have upgraded or purchased a new phone and have not registered it for multifactor authentication yet). If you forget or lose your primary device, you can still log in using your second (or third) device. There is no limit to the number of devices you can register. For instance, you might register your mobile phone as your primary device and your landline (office phone) as your secondary device.

I sometimes stop receiving push notifications on Duo Mobile. Why?

You may have trouble receiving push requests if there are network issues between your phone and Duo’s service. Many phones have trouble determining whether to use the Wi-Fi or cellular data channel when checking for push requests. If you experience issues receiving a Push request, try one of these steps to resolve it:
- Turn your phone to airplane mode and back to normal operating mode again. This will often resolve the issue if there is a reliable internet connection available.
- Turn off the Wi-Fi connection on your device and try using the cellular data connection.
- Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.
If these suggestions do not resolve the issue, please contact the 24/7 IT Help Desk at 412-624-HELP (4357) for assistance. If you need to authenticate in the meantime, you can open the Duo Mobile app and tap the key icon to generate a passcode. Log in to a Pitt Passport service, select Enter a Passcode when you are prompted to use multifactor authentication, and enter the passcode you generated.

What if I am in a location that does not have cell phone service or Wi-Fi access? Can I still use multifactor authentication?

Yes. If you have a smartphone, you can generate a passcode by opening the Duo app and tapping the key icon, even if you are in a location without cell phone service or wireless access. Cell phone service is required if you have a non-smartphone and want to use the SMS (text) or Call Me option to log in.

Once I log in to a Pitt Passport service with multifactor authentication, do I need to continue to use multifactor authentication every time I access another service that leverages Pitt Passport?

No. As long as you leave a web browser open after you log in to a Pitt Passport service, you should only be prompted to use multifactor authentication once every 12 hours. However, if you close your browser session (or if you access a Pitt Passport service from a different browser or different device), you will be prompted to use multifactor authentication again.

What University services leverage Pitt Passport and therefore require multifactor authentication?

A growing number of University services are taking advantage of the security provided by the University’s single sign-on service, Pitt Passport. The list of enterprise services that use Pitt Passport includes, but is not limited to: My Pitt, Office 365 (including Exchange), Learning Management System (Canvas), Lecture Capture (Panopto), the Student Information System (PeopleSoft), Pitt Worx, PRISM, Cloud Storage (Box and OneDrive), EZ Proxy, Pitt CX Mobile, the Account Management site (accounts.pitt.edu), PittPAY, Career Development, Enterprise Lab Notebooks (LabArchives), Pitt eSignature (DocuSign), AskCathy Service Discovery, Collegiate Link, Talent Center, TIAA-CREF, On-Demand Training (LinkedIn Learning), Parchment, Document Management (Perceptive Content / ImageNow), Suitable, Microsoft Azure Dev Tools for Teaching (formerly Imagine), PittServes Volunteer Portal, MyHealth OnLine, Tableau, Faculty Information System (Elements), the Pitt App Store, and Gartner.

What do I do if I don’t have my device with me and need to log in?

You should always register more than one device. If you do not have either device with you and you need to log in, call the 24/7 IT Help Desk at 412-624-HELP (4357) for assistance.

I got a new phone. What do I need to do to enable it for multifactor authentication?

If you get a new phone and you keep the same phone number, you will need to re-activate Duo Mobile on that phone (see "Replace a Registered Device with a New Device" above). If you get a new phone with a different number, you will need to add it as a new device (see "Register an Additional Device" above for instructions). You should remove the previous device if you are no longer using it (see "Remove a Device You Have Registered" for instructions).

I lost my phone. What should I do?

If you have registered a second device, you should log in with that device and remove the device you have lost from your list of registered devices (see the "Remove a Device You Have Registered" for instructions). *Remember: It is STRONGLY recommended to register more than one device or method: You will need to authenticate from your backup device/method in the case of a lost or stolen primary device, or if you have upgraded or purchased a new phone and have not registered it for multifactor authentication yet.
In the event you have lost access to ALL of your Duo Multi-factor devices, please contact the Pitt IT Technology Help Desk. Our Help Desk analysts will assist you in removing the lost device and allow you to register a new one.

I do not have a smartphone or cell phone and I do not want to use my landline as my multifactor authentication device. What options are available to me?

Options for registration other than mobile phone or landline are: tablet (iPad, Nexus 7, etc.), security key (YubiKey, Feitian, etc.), or touch ID. Follow the instructions in the Register an Additional Device section above. Remember to remove any unused methods for registration.

I work in a location with a shared landline (for example, a lab). What options are available to me?

If you cannot register a smartphone or cell phone and you only have access to a shared landline, the best option is to register a tablet (iPad, Nexus 7, etc.), security key (YubiKey, Feitian, etc.), or touch ID. Follow the instructions in the Register an Additional Device section above. Remember to remove any unused methods for registration.

I am setting up multifactor authentication, but when I scan the barcode, I receive a message that reads "Activation Link Expired". What should I do?

You will need to reactivate Duo Mobile on your device. To do so, log in to accounts.pitt.edu. You will need to use multifactor authentication on your second (backup) device to log in. If you do not have a second device registered for multifactor authentication, please call the 24/7 IT Help Desk at 412-624-HELP (4357) for assistance. When the multifactor authentication window displays, click My Settings & Devices in the left-hand column, choose your secondary device, and choose an authentication method. Once you have successfully logged in, click Device Options next to the device you want to reactivate, and click Reactivate Duo Mobile. Complete the steps in the activation wizard to reactivate your device.

Where can I find additional instructions and help documentation?

Duo, the vendor for Pitt’s multifactor authentication service, has additional help documentation> available on their website.

Information Technology

Search form