Duo Universal Prompt

Introducing Duo's refreshed authentication experience, the Universal Prompt.

Is your organization still using the traditional Duo Prompt? See the traditional Duo Prompt guide for more information and instructions.

Researching Duo for your organization? Learn about Duo's multi-factor authentication (MFA) solutions.

About the Duo Universal Prompt

When you log into an application protected with Duo using a web browser or certain client applications, you see a Duo prompt after entering your application login information.

The Universal Prompt provides a simplified Duo experience over the traditional prompt, helping you log in to your applications faster than before.

You'll notice that the Duo login options look different from how they did in the traditional prompt, but the Universal Prompt still supports a wide range of Duo login options so you (or your Duo administrator) can choose the options that work best for your organization.

Another difference between the Universal Prompt and the traditional prompt is that the traditional prompt loads on a web page that's part of your organization's application, while with the Universal Prompt your browser redirects to a page hosted by Duo for you to verify your login attempt, and then redirects back to the application.

Here's a comparison of logging in with Duo Push in the Universal Prompt and traditional prompt:

Universal Prompt	Traditional Prompt

Supported Browsers

The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.

Check the table below for supported browser versions and Duo login option compatibility. Platform and roaming authenticators may require a different browser or a newer minimum browser version, please refer to WebAuthn Browser Support. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options.

Browser	Minimum Supported Version
Chrome	38
Safari	9
Firefox	47
Edge	17
Internet Explorer	11

While other browsers may work with the Universal Prompt, Duo actively tests and supports the browsers and minimum versions listed in the table.

When you log in Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.

WebAuthn Supported Browsers

Check the tables below for supported browser versions for platform authenticators (like Touch ID, Face ID, Windows Hello, or Android biometrics) and roaming authenticators (like security keys). While other browsers may work, Duo actively tests and supports the browser minimum versions listed in the tables.

Windows 10 and Later

Browser	Minimum Supported Version	Platform Authenticator	Roaming Authenticator (Security Keys)
Edge	79	Yes 1	Yes
Chrome	73	Yes 1	Yes
Firefox	66	Yes	Yes

1. Windows Hello is not supported in Chrome Incognito or Edge InPrivate browsing sessions.

macOS 11 and Later

You must sign in with the same iCloud account and enable iCloud Keychain sync on all the Apple devices you plan to use with Duo and passkeys. See the iCloud documentation for instructions specific to your device types:

• Mac
• iPhone
• iPad

Browser	Minimum Supported Version	Platform Authenticator	Roaming Authenticator (Security Keys)
Safari	14	Yes	Yes
Chrome	70	Yes	Yes
Firefox	122	Yes	Yes1

1. Firefox on macOS cannot prompt to create a security key's PIN. Security keys that already have a PIN set can be used to authenticate in Firefox.

iOS/iPadOS 14.5 and Later

You must sign in with the same iCloud account and enable iCloud Keychain sync on all the Apple devices you plan to use with Duo and passkeys. See the iCloud documentation for instructions specific to your device types:

• iPhone
• iPad
• Mac

Browser	Minimum Supported Version	Platform Authenticator	Roaming Authenticator (Security Keys)
Safari	14.5	Yes	Yes
Chrome	95	Yes	Yes
Edge	95	Yes	Yes
Firefox	38	Yes	Yes

Android 10 and Later

Browser	Minimum Supported Version	Platform Authenticator	Roaming Authenticator (Security Keys)
Chrome	95	Yes	Yes
Firefox	68	Yes 1	No

1. Firefox on Android 10 and 11 does not support Android biometric enrollment.

Linux

Linux has no supported platform authenticators.

Language Support

Your browser's language settings determine the language shown in the Universal Prompt, with no extra configuration necessary.

When the Universal Prompt displays English, Spanish, French, German, or Japanese, phone callback authentication will use the same language shown in the prompt.

Catalan, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, Hindi, Indonesian, Italian, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Swedish, Thai, Turkish, and Vietnamese languages will display in the Universal Prompt, but phone callback authentication will be in English.

Log In With the Duo Universal Prompt

After completing Duo enrollment (or if your Duo administrator already set you up to use Duo), you'll see the Duo prompt the next time you perform a browser-based login to a web service or application protected with Duo.

The first time you log in to an application with Duo using the Universal Prompt, Duo may choose one of your configured login options automatically, selecting the most-secure method from the ones you have available.

If your organization's Duo administrator turned off automatic authentication method selection, you'll choose one of your available methods to continue authentication. We recommend selecting the most-secure available option.

Duo authentication methods from most to least secure:

1. Platform authenticators
2. Roaming authenticators
3. Verified Duo Push
4. Duo Mobile push approval
5. YubiKey passcodes
6. Duo Mobile generated passcodes
7. Hardware token passcodes
8. SMS passcodes
9. Phone call approval

Duo considers platform authenticators and roaming authenticators to be the most secure authentication methods, so if you have set up either of these methods and the application allows their use you'll automatically be prompted to use your platform authenticator (like Touch ID) or roaming authenticator (like security key) the first time you log into that application.

The next most secure Duo method is using Duo Mobile to approve push notifications. If you do not have a platform authenticator or roaming authenticator available, but you do have a phone or tablet with Duo Mobile activated, the Universal Prompt may automatically send you a Duo Push the first time you log in to that application. You may also have to enter a code into Duo Mobile to approve the push request if your organization requires it.

If you haven't set up Duo Mobile, then the Duo Universal Prompt may automatically select your next available option, following the most to least secure preference order.

If you don't want to use the method Duo automatically suggests for that application, cancel the Duo authentication in progress and click or tap Other options. Then, select the method you want from the list.

Completing Duo login sets the login option you used as the first choice for this application. Future Universal Prompt logins to that application from the same device and browser may automatically use that same method. If you cancel the authentication in process and choose a different device, then the device you use becomes the first choice for that application.

There is no way to turn off automatic device selection yourself, or to explicitly configure a default authentication device. Contact your organization's Duo administrator or help desk to determine whether they can change your automatic device selection setting.

Your organization's Duo administrator may choose to block some authentication options for certain applications, requiring that you choose a different device. Since Duo remembers the last-used authentication device for each application you access, the Universal Prompt should always display the right default option for that application.

Authentication methods are shown in the following order when on a mobile device:

1. Verified Duo Push
2. Duo Mobile push approval
3. Duo Mobile generated passcodes
4. SMS passcodes
5. Phone call approval
6. Hardware token passcodes
7. Platform authenticators
8. Roaming authenticators
9. YubiKey passcodes

Choose a Different Method

If you ever want to choose a different device or Duo method than the one chosen automatically by the Universal Prompt, or want to cancel an authentication in progress to select a different method, click Other options near the bottom. This takes you to a list of all your available Duo authentication options. Click on the one you want to use and follow the instructions shown to complete logging in to the application.

The Universal Prompt shows a drop-down filter near the top when you have seven or more devices. The filter choices show phones you have enrolled using the last four digits of your number, hardware tokens, and security keys. Use the filter to select the device you want to use for authentication, then choose from the available methods for that device to continue. Set the filter to show all your devices to choose platform authenticators and passkeys, like Touch ID or Windows Hello.

Your organization might apply a policy that prevents the use of some authentication methods for one or all applications. If so, those options won't show up in the list.

Remembered Devices

If your organization's policy allows it, you may be able to skip authenticating with Duo again for a set amount of time. The first time you approve the Duo authentication request, you'll see the option to remember your device.

Choose Yes, this is my device to create a trusted device session that will let you skip Duo two-factor authentication when you log in again with the same browser and device until that remembered device session expires.

Depending on the policy applied by your Duo administrator, this may remember your device across all your organization's Duo-protected applications, or there may be unique policies applied to applications that require you to perform Duo authentication again regardless of whether you remembered the device. Ask your Duo administrator or help desk for more information.

Do not trust the device when using a public or shared computer! This could leave your Duo session available to other users. Remember the device only when you access applications from your own computer.

Clicking on No, other people use this device will not create a trust session. You won't be asked to remember that device again for 14 days.

When your trusted browser session expires, you will need to use two-factor authentication again. Duo Push, phone call, text message, and passcode authentication methods will show the option to remember the device already enabled for you. Leaving the option enabled creates a new remembered device session.

If you don't want to remember the device anymore, uncheck the Remember me box before you approve the Duo Push or phone call request or enter a passcode.

If you log in automatically with a WebAuthn method like Touch ID, a passkey, or a security key you won't see the Remember me option on the page. You will need to cancel the Duo authentication in progress if you don't want to remember that device anymore. This sends you back to the page where you can uncheck the Remember me box and then try to log in again.

Duo Universal Prompt Login Options

Availability of the following Duo login options in the Universal Prompt depends on your browser or browser version, or on the policies applied by your organization's Duo administrator.

Platform Authenticators

Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics.

Touch ID on Mac

In order to use Touch ID with Duo, make sure you have the following:

• A MacBook Pro, MacBook Air, or Magic Keyboard with a Touch ID button.
• A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
• A supported browser: Safari or Chrome. Refer to the browser support table.
• iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Touch your Mac's Touch ID sensor when prompted to log in to the application. If you aren't able to access the Touch ID sensor (such as when you close and dock your laptop), then you can choose to type in your Mac login password instead to verify.

If you need to cancel a Touch ID authentication in progress, click or tap the cancel option shown by your browser, outside of the Duo Universal Prompt.

Face ID or Touch ID on an iPhone or iPad

In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:

• An iPhone or iPad that supports Face ID or Touch ID.
• Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
• iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

Depending on the option your device supports, you'll either scan your face to use Face ID while logging in, or you'll scan your fingerprint instead to use Touch ID.

Windows Hello

In order to use Windows Hello with Duo, make sure you have the following:

• A device running Windows 10 or later.
• Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
• A supported browser: Chrome, Edge, or Firefox. Refer to the browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition to log into Duo.

Android Biometrics

In order to use Android Biometrics with Duo, make sure you have the following:

• An Android device that supports biometrics, like fingerprint or face unlock.
• Facial or fingerprint unlock set up on that device. Go to Settings → Security to change your unlock settings. Refer to the Google support articles Unlock your Pixel phone with your fingerprint and Unlock your Pixel phone with your face, the Samsung articles Set up and use the fingerprint sensor on your Galaxy phone and Use Facial recognition security on your Galaxy phone, or your device manufacturer's support site for examples of how to do this.

Follow your device's prompt to scan your fingerprint or use facial recognition to log into Duo.

Additional Passkey Registration

If you had to cancel authentication because your enrolled passkey isn't available on the access device you're using now, you may be presented with the option to try again or enroll another passkey.

The following example shows how to setup Touch ID on a Mac. These steps are the same for other platform authenticators such as Face ID/Touch ID on an iPhone or iPad, Windows Hello, or Android Biometrics.

1. Click Set up Touch ID.
   
2. Click Continue and follow the instructions to setup the new passkey (Touch ID on Mac, Face ID/Touch ID on an iPhone or iPad, Windows Hello, Android Biometrics)

Log in with the new passkey you have just added and access your Duo-protected application.

Roaming Authenticators

Roaming authenticators are WebAuthn FIDO2 security keys, like those from Yubico or Feitian. They can move from one system you use to access services and applications protected by Duo to another, such as a USB security key you unplug from one laptop and plug into another.

Security Key

A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to verify your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

In order to use a security key with Duo, make sure you have the following:

• A supported browser (check the table above to verify your browser supports security keys).
• An available USB port.
• A WebAuthn/FIDO2 security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the YubiKey NEO-n) are not supported.
• If your organization requires user verification of your security key with a PIN or biometric then your security key must support FIDO2.

Insert your security key if not already plugged in, and then tap or press your security key when prompted to log in to the application. Some types of keys flash as a prompt for you to authenticate. Your browser may also pop up a prompt instructing you to tap your security key.

You need to interact with the prompt to use a security key from Safari browser on macOS or any browser on iOS. Click or tap the Use security key button and then tap or press your security key.

If your organization requires user verification you'll need to enter your PIN or scan your biometric as well (Chrome example shown).

If you need to cancel a security key authentication in progress, click or tap the cancel option shown by your browser, outside of the Duo Universal Prompt.

YubiKey Passcode

Log in using a passcode generated by a YubiKey. Connect or plug in your YubiKey and press it to generate and submit a passcode to log in to the application.

Your administrator must have configured the YubiKey for passcode use in Duo. This is a separate function from using a YubiKey as a security key.

Duo Push

Pushes a login request to your iOS or Android phone or tablet if you have Duo Mobile installed and activated. Review the request on your phone or tablet and tap Approve to log in to the application.

Verified Duo Push

Your organization may wish for you to enter a verification code shown within the Duo Universal Prompt into Duo Mobile when you approve a Duo Push request. This protects you from approving login requests not made by you and helps keep your accounts and information safe.

If your organization requires Duo Push verification, Duo Universal Prompt displays a numeric code three to six digits in length on-screen when you choose to use Duo Push to log in to that application.

Enter the code shown on your screen into the Duo Push request received on your Android or iOS device. Android users only: tap Verify to finish approving the login request.

If your installed Duo Mobile version does not support verification then you will receive a Duo Push request without the code entry field. If you try to approve then the login fails and you'll see a message instructing you to update your software. Use a different allowed authentication method or contact your help desk.

Duo Mobile Passcode

Log in using a passcode generated by the Duo Mobile app installed and activated on your Android or iOS device. Open Duo Mobile and locate your organization's account in the accounts list, and tap it to generate a six-digit passcode. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Text Message Passcode

Log in using a passcode received from Duo in a text message. When you land on the text message page, it will show that a text message was just sent to you with a passcode. When you receive the message, enter that passcode into the space provided and click or tap Verify to log in to the application. When authenticating from a mobile device in the United States and Canada your browser may automatically enter the passcode for you.

If you did not receive the text message from Duo, use the Send a new passcode link to try sending it again.

Passcodes received in a text message expire when used.

Phone Call

Authenticate via phone callback. Answer the phone call from Duo and follow the voice instructions to log in to the application.

Hardware Token Passcode

Log in using a passcode generated by a hardware token provided to you by your organization. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Bypass Code

Log in using a code provided by your organization's Duo administrator or help desk. Enter that code into the space provided and click or tap Verify to log in to the application.

First-time Enrollment in Duo

Enrollment is the process that registers you as a user in Duo with a device capable of performing two-factor authentication. Duo prompts you to enroll the first time you log into a protected VPN or web application when using a browser or client application that shows the interactive Duo web-based prompt. Follow the on-screen prompts to set up your Duo authentication device.

Instead of enrolling when you log in to an application, you might receive an email from your organization's Duo administrator with an enrollment link instead. This emailed link takes you directly to the Duo enrollment portal. You'll see either the Universal Prompt experience shown on this page or enrollment in the traditional Duo prompt depending on your organization's email enrollment configuration.

Step One: Introduction

Logging into a Duo-protected application enabled for self-enrollment takes you to the device management page to enroll. Click Next to learn why protecting your identity with two-step verification is important and begin the setup process.

Step Two: Choose Your Verification Method

Choose the device type in the list that matches your desired authentication experience:

• Touch ID: Use the fingerprint sensor on Apple MacBooks, Magic Keyboards, or iPhone.
• Face ID: Use the face scanning feature on iPhone.
• Windows Hello: Use your Windows Hello PIN, scan your fingerprint, or use facial recognition on Windows devices.
• Device verification: Use Android Biometrics on Android devices.
• Duo Mobile: Approve Duo Push verification requests on iOS or Android devices, or generate a one-time passcode from the Duo Mobile app.
• Security key: Tap a WebAuthn/FIDO2 security key. Requires Chrome, Safari, Firefox, or Edge.
• Phone number: Receive a one-time passcode in an SMS message or approve a login attempt with a phone call from Duo.

Only your organization's Duo administrator or help desk can add hardware tokens and YubiKey OTP tokens for you. These verification options do not show up in the list of available options. Neither do any methods that your organization blocks from use; if your Duo administrator applied a policy that doesn't allow authentication with text messages or phone calls, the "Phone number" option will be missing when you enroll.

Duo recommends the most secure option of the methods available to you, so it's a good idea to set up that method first if you have a device that supports it.

This is an example of the options on a MacBook with Touch ID available:

Step Three: Add Your Chosen Method

Once you choose how to verify your identity, you will next complete the setup steps for that method.

Touch ID on Mac

In order to use Touch ID with Duo, make sure you have the following:

• A MacBook Pro, MacBook Air, or Apple Magic Keyboard with a Touch ID button.
• A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
• A supported browser: Safari or Chrome. Refer to the browser support table.
• iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

1. Read the Touch ID information and click Continue.
   
2. Chrome prompts you to verify your identity on duosecurity.com.
   
3. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.
   
4. When you receive confirmation that you added Touch ID as a verification method, tap Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your Touch ID fingerprint sensor.

If your organization has enabled Duo Passwordless for Duo Single Sign-On applications then you'll automatically be able to use Touch ID for passwordless authentication after the first time you complete two-factor authentication with Touch ID during Duo Single Sign-On login. If you completed your Duo enrollment while logging in to Duo Single Sign-On then you will be able log in without a password the next time you access the application.

If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo. To do this, your organization must have enabled self-service device management.

Windows Hello

1. Read the Windows Hello information and click or tap Continue.
   

2. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera.
   

3. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Windows Hello.

If your organization has enabled Duo Passwordless for Duo Single Sign-On applications then you'll automatically be able to use Windows Hello for passwordless authentication after the first time you complete two-factor authentication with Windows Hello during Duo Single Sign-On login. If you completed your Duo enrollment while logging in to Duo Single Sign-On then you will be able log in without a password the next time you access the application.

Face ID/Touch ID on iPhone or iPad

In order to use Face ID or Touch ID on an iPhone or iPad with Duo, make sure you have the following:

• An iPhone or iPad that supports Face ID or Touch ID.
• Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.
• iCloud Keychain sync enabled on all the Apple devices you will use with Duo and the passkey you will create during setup.

1. Read the Face ID (or Touch ID) information and tap Continue.
   

2. Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
   
3. When you receive confirmation that you added Face ID as a verification method click Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Face ID or Touch ID on an iPhone or iPad.

If your organization has enabled Duo Passwordless for Duo Single Sign-On applications then you'll automatically be able to use Face ID or Touch ID for passwordless authentication after the first time you complete two-factor authentication with Face ID or Touch ID during Duo Single Sign-On login. If you completed your Duo enrollment while logging in to Duo Single Sign-On then you will be able log in without a password the next time you access the application.

Android Biometrics

1. Read the device verification information and click or tap Continue.
   

2. Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.
   

3. When you receive confirmation that you added your Android device as a verification method tap Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using Android biometrics.

If your organization has enabled Duo Passwordless for Duo Single Sign-On applications then you'll automatically be able to use Android biometrics for passwordless authentication after the first time you complete two-factor authentication with Android biometrics during Duo Single Sign-On login. If you completed your Duo enrollment while logging in to Duo Single Sign-On then you will be able log in without a password the next time you access the application.

Duo Mobile

Duo Mobile is an app that runs on iOS and Android phones and tablets. It's fast and easy to use, and doesn't require cell services. Duo pushes login requests to Duo Mobile when you have mobile data or wifi connectivity to the internet. When you have no data service, you can generate passcodes with Duo Mobile for logging in to applications.

The current version of Duo Mobile supports iOS 13.0 or greater and Android 8 or greater.

1. Select your country from the drop-down list and type your mobile phone number, and then click Add phone number.
   
   If you're going to use Duo Mobile on a tablet (like an iPad) with no phone service, don't enter a phone number and click I have a tablet instead.
2. If you entered a phone number, double-check that you entered it correctly and click Yes, it's correct to continue (or No, I need to change it to go back and enter the number again).
   
   If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
   
3. Download and install Duo Mobile on your phone or tablet from the Google Play Store or Apple App Store. Once you have Duo Mobile installed click Next.
   
4. Open the Duo Mobile app on your phone or tablet and add this account by scanning the QR code shown on-screen.
   
   If you aren't able to scan the QR code, tap Get an activation link instead and then enter your email address to send the activation link to yourself. Follow the instructions in the email to activate the new account in Duo Mobile.
5. When you receive confirmation that Duo Mobile was added click Continue.
   

You can now log in to Duo-protected applications with Duo Push or with a Duo Mobile passcode.

If your organization has enabled Duo Passwordless for Duo Single Sign-On applications then you'll automatically be able to use Duo Push for passwordless authentication after the first time you complete two-factor authentication with Duo Push during Duo Single Sign-On login. If you completed your Duo enrollment while logging in to Duo Single Sign-On then you will be able log in without a password the next time you access the application.

Security Key

A security key is an external device that when tapped or when the button is pressed sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

To use a security key with Duo, make sure you have the following:

• A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the YubiKey NEO-n) can't be used with the Universal Prompt.
• If your organization requires user verification of your security key with a PIN or biometric then your security key must support FIDO2.
• A supported browser: Chrome, Safari, Firefox, or Edge. Refer to the Universal Prompt browser support table for minimum browser versions with security key support in Duo.

1. Read the security key information and click Continue.
   
2. Follow the browser prompts to complete enrollment of your security key, allowing Duo to access information about your security key during setup (Windows example using Edge shown).
   
3. If your organization requires user verification and you have not already configured a PIN or biometric for your security key you will need to do that now (Chrome example shown). If you already set your PIN or configured biometrics for your security key then you'll need to enter your PIN or scan your biometric to complete setup.
   
4. When you receive confirmation that you added your security key as a verification method click Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your security key.

Phone for Call or Text

This option is suitable for mobile phones that can't run Duo Mobile, or office phones and landlines.

1. Select your country from the drop-down list and type your phone number, and then click Add phone number.
   
   If this phone number is a landline and can't receive text messages, select the This is a landline phone option before continuing.
2. If you opted to add a landline, you can enter the landline's extension on the next screen and click Add extension or click Skip this step if you do not need to enter an extension for your landline.
   
3. Verify that the phone number shown (and landline extension, if you entered one) is accurate and click Yes, it's correct to continue (or No, I need to change it to go back and enter the number again).
   
   If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
   
4. When you receive confirmation of adding the new mobile phone number for texts or calls, click Continue to login to log in to the application with a passcode received via text message or a phone call from Duo.
   
   If you added a landline phone number, click Continue to log in to the application with a phone call from Duo.
   

Step Four: Add a Backup Method

It's a good idea to add a second verification method that you can use as a backup if the first method you added isn't available to you at some point, like if you lose or forget your phone and need to log in with Duo, or if you want to access an application from a different MacBook than the one you used to set up Touch ID in Duo.

When you click Continue after registering your first verification method, Duo prompts you to add another one.

Choose any of the available methods and proceed through the steps for adding it. If you don't want to add another method at this time, click Skip for now.

After you add a second login verification method, or if you chose to skip it, you'll arrive at the end of the Duo setup process. Click Log in with Duo to log in to the application using the Duo method you just added.

Add or Manage Devices After Enrollment

If enabled by your administrator, you can add additional verification methods, manage your existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt.

When logging in to an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. If your organization enabled self-service device management then you'll see a Manage devices choice at the end of the list. Click that to enter the device management portal.

To access the device management you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity. If you're visiting device management to delete or update a device you don't have anymore (such as a phone you lost or replaced), be sure to pick a verification option that you still have with you. If you don't have any devices you can use to authenticate to device management, contact your organization's Duo administrator or help desk.

After approving a Duo authentication request, you can see all your registered devices in the device management portal.

Add Another Device

To add a new method of verifying your identity in Duo, click Add a device and select one of the verification options.

Duo takes you through the steps of adding the new device, just like first-time enrollment. The difference between adding a new device from device management and during first-time enrollment is that when you have finished enrolling the new device you return to the device management page to view all your registered devices, including the new one, instead of continuing to log into an application.

When you access device management during login to a Duo Single Sign-On application or from Duo Central and use it to add platform authenticators, like Touch ID or Windows Hello, then you'll be able to use that authentication method to log in to Duo Single Sign-On applications without a password if your organization has enabled Duo Passwordless.

Rename or Remove a Device

Click Edit and then Rename to give a device a new name to help you identify it. This new name shows up in the verification method list and on the authentication page when you log in with Duo to make it easier for you to identify which device you're using.

To delete a device, click Edit and then Remove. You'll be able to confirm that you want to remove this device before deleting it. Once deleted, a verification device can't be restored, but if you still have the device available you can add it again. You can't delete your only identity verification device.

Reactivate Duo Mobile for an Existing Device

If you have replaced the phone you activated for Duo Push, or if Duo Push stops working, you can get Duo Push working again without contacting your help desk. If your organization has self-service enabled then if a Duo Push authentication times out you'll see the I got a new phone link shown in the Universal Prompt. Click or tap that link to begin the reactivation process.

If you still use the same phone number as you did when you first set up the phone to use Duo Push, then click or tap the Text me a link button. When the text message with the link arrives on your phone, tap it to automatically reactivate Duo Mobile on your phone to use Duo Push again. If you don't have Duo Mobile installed be sure to install it before you try to open the activation link in the text message.

If you are using a different phone number than the one you first set up to use Duo Push then tap or click the I got a new number link.

If you have a new phone number then you can't send yourself a text message with a Duo Push reactivation link. Click or tap Continue to proceed to the Duo self-service device management portal, where you can complete the steps to add your new phone number and set up Duo Push on the new phone so you can use it to log in with Duo.

You'll still need to verify your identity with a different Duo verification method, so if you don't have one available you will need to contact your organization's help desk or Duo administrator for assistance.

You can also reactivate Duo Mobile for use with Duo Push on a new phone from the device portal if it uses the same phone number as when you set up the original phone in Duo.

1. Locate the existing phone in the device management portal and click the I have a new phone link.
2. Click Get started if your phone uses the same phone number as before. If you want to add a new phone with a different number, cancel reactivation and follow the process for adding a new device instead.
   
3. Verify that you have access to the phone by clicking Send me a passcode or Or call my phone to receive a passcode from Duo.
   
4. Enter the verification passcode you received in a text message or phone call and click Verify .
   
5. Install the Duo Mobile app on your new phone if you hadn't already done so, open it and tap Add to scan the QR code shown on-screen, continuing the same steps you completed when you originally set up Duo Mobile for Duo Push on your phone.
   
   
6. Click Continue when you've finished reactivating Duo Mobile on your new phone to return to the device management portal.

If your existing phone stops receiving Duo Push requests your Duo administrator or help desk might suggest that you try reactivating Duo Mobile on your phone with this process as a troubleshooting step.

Device Notifications

Your organization may have enabled notifications when you add or remove a device in Duo. You could receive an email notification, a notification pushed directly to the device where you activated Duo Mobile, or both.

To confirm that you did add or remove a device, click or tap Yes, this was me in the Duo Mobile notification.

If you didn't add or remove a device, click or tap No, this wasn't me in the email message or Duo Mobile notification to let your Duo administrator know.

If you click or tap No, this wasn't me your Duo administrator will receive an email reporting that there was fraudulent activity on your Duo account.

Software Updates

The Universal Prompt includes software update checks.

Refer to the Duo Software Update page to learn about software notifications shown by Duo and how to update your software.

Duo Desktop

Duo Desktop is an application installed on your desktop or laptop that performs health checks whenever you access Duo protected applications through the Universal Prompt, ensuring that your computer meets the organization’s security requirements. This helps protect corporate data and make sure your computer is less vulnerable to compromise.

Refer to the Duo Desktop page to learn how to install Duo Desktop and address issues discovered by the app.

Personal Devices

Your organization may choose to block access to applications from devices not managed by the organization. If this policy is enforced then you won't be able to complete Duo authentication from your personal device. Duo Mobile device verifications will still fall back to the traditional Duo Prompt.

How to Get Help

If you can't authenticate or aren't sure what to do, contact your organization's Duo administrator or help desk for guidance. If you click Need help? at the bottom-left of the Universal Prompt your administrator may have customized the help text with further instructions or contact information. Please do not contact Duo Support directly, as Duo Support can only assist named Duo account administrators.