Duo Passwordless Public Preview

With Duo Passwordless, you no longer have to remember or type in long, complex passwords when you access applications. Instead, you can log in with a single gesture, like scanning your fingerprint. Duo Passwordless uses removable security keys and biometric authenticators built into computers, phones, and tablets to secure access to your applications without passwords.

About Duo Passwordless

Duo Passwordless works with applications that use Duo Single Sign-On (SSO). Instead of typing your password on the Duo SSO login page, you'll use your device to verify your identity.

If you change devices, access an application that doesn't use Duo Single Sign-On, or if the passwordless verification method isn't available when you are logging in to an application — such as if your forgot your registered security key or you've closed your laptop so you can't scan your fingerprint — then you will enter your password to log in to the application.

Supported Authenticators

Duo supports two types of passwordless authenticators:

  • Platform authenticators: These are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics.

    When you set up one of these methods, it's effective only for the system where you set it up. If you were to set up Windows Hello to log in to Duo Passwordless on one computer, then switch to a different Windows computer, Windows Hello on the second computer won't log you in to Duo. You will need to use your username and password to log in on that second computer, and complete Duo two-factor authentication to access the application, or to set up Windows Hello for passwordless on the new computer.

  • Roaming authenticators: These authentication devices are WebAuthn FIDO2 security keys with biometric or PIN verification, like those from Yubico or Feitian. They can move from one system you use to access services and applications protected by Duo to another, such as a USB security key you unplug from one laptop and plug into another.

Supported Browsers

Duo Passwordless supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), and Edge. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system.

Check the tables below for supported browser versions and Duo verification option compatibility. While other browsers may work with Duo Passwordless, Duo actively tests and supports the browser minimum versions listed in the tables.

Windows 10 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Edge 79 Yes 1 Yes
Chrome 73 Yes 1 Yes
Firefox 66 Yes Yes

  1. Windows Hello not supported in Chrome Incognito or Edge InPrivate browsing sessions.

macOS 11 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Safari 14 Yes 1 Yes
Chrome 70 Yes Yes
Firefox None No 2 No 3

  1. Duo supports Touch ID in Safari for passwordless login, but not for two-factor authentication.
  2. Firefox on macOS does not support Touch ID due to missing FIDO2 support.
  3. Firefox on macOS cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

iOS/iPadOS 14.5 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Safari 14.5 Yes Yes
Chrome 95 Yes Yes
Edge 95 Yes Yes
Firefox 38 Yes Yes

Android 10 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Chrome 95 Yes Yes 1
Firefox 68 Yes 2 No 3

  1. Chrome on Android 10 and 11 cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.
  2. Firefox on Android 10 and 11 does not support Android biometric enrollment.
  3. Firefox on Android cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

Set up Duo Passwordless

When you log into a Duo Single Sign-On (Duo SSO) application that supports passwordless authentication, you will log in with your username and password, and complete Duo two-factor authentication. See the Duo Single Sign-On guide for an example.

After that, you'll see the "Tired of passwords?" invitation to set up Duo Passwordless. Click or tap Continue to set up passwordless login.

If you don't want to set up passwordless login now, click or tap Skip for now. Duo will finish logging you into your application. Duo will ask again if you want to set up passwordless authentication during future logins.

Start Duo Passwordless Setup

The options you see offered during Duo Passwordless setup depend on whether your organization allows use of platform authenticators (Touch ID, Windows Hello, etc.), roaming authenticators (security keys), or both.

In this example, the organization allows both kinds of passwordless devices. The user is accessing the application with Chrome on a MacBook, so the choices are to set up Touch ID or a security key.

Multiple Passwordless Authenticator Options

In this example, the organization allows roaming authenticators but not platform authenticators, so the only option is to set up a security key.

Limited Passwordless Authenticator Options

Note that if your organization allows both types of authenticators but your access device doesn't have a supported platform authenticator you'll only see the security key option as well.

Set up Multiple Authenticator Types

If your organization allows both platform and roaming authenticators, you can set up both of them for your account (for example, if you want to be able to use either Windows Hello and a security key). However, Duo's self-service device management doesn't yet support registration of additional passwordless authenticators.

To set up both types of authenticators, you will need to go through the process of logging in with your password and setting up the authenticator twice — once for the platform authenticator and then once again for the security key. This is easiest if you first log in with your password and complete set up of your platform authenticator in a regular browser tab, and then open an incognito or private browser window and log in with your password again, this time completing set up of the security key.

Duo Passwordless Login options

Learn how to set up and log in with these Duo Passwordless identity verification methods.

Touch ID on a Mac

In order to use Touch ID on macOS with Duo Passwordless, make sure you have the following:

Set up Touch ID

  1. Log into the Duo SSO application with your password and complete Duo authentication.
  2. Click Continue to begin setting up passwordless login.
  3. Click the Touch ID option to begin adding it to Duo.
    Choose Touch ID Verification Method
  4. Read the Touch ID information and click Continue.
    Begin Touch ID Setup

  5. The browser prompts you to verify your identity on duosecurity.com when adding Touch ID (Chrome example shown).
    Chrome Touch ID Prompt
    You may be prompted to enter your system password instead of tapping Touch ID if you haven't added your fingerprint to Touch ID on your Mac yet, or if you have your laptop closed so you can't access the Touch ID button. You can also choose to enter your system password.
  6. Place your finger on the Touch ID button in the Touch Bar (or enter your system password) to complete Touch ID enrollment (Chrome example shown).
    Touch ID Bar on MacBook Pro
  7. When you receive confirmation that you added Touch ID as a verification method click Continue.
    Touch ID Added
  8. You've added Touch ID as your passwordless login method. Click Done.
    Passwordless Setup Complete

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Touch ID

The next time you log into this Duo SSO application from the Mac computer where you set up Touch ID for passwordless login, you'll enter your username and then — instead of entering your password — you can choose Touch ID to verify your identity.

Duo Passwordless Touch ID Login

Place your finger on the Touch ID button in the Touch Bar to complete logging in to the application, as you did when you set up Touch ID in Duo.

Chrome Touch ID Prompt

Successful Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Face ID or Touch ID on an iPhone or iPad

In order to use Face ID or Touch ID on an iPhone or iPad with Duo Passwordless, make sure you have the following:

  • An iPhone or iPad that supports Face ID or Touch ID.
  • Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.

Depending on the option your device supports, you'll either scan your face to use Face ID during setup and while logging in, or you'll scan your fingerprint instead to use Touch ID.

Set up Face ID/Touch ID

  1. Log into the Duo SSO application with your password and complete Duo authentication.
  2. Tap Continue to begin setting up passwordless login.
  3. Tap the Face ID/Touch ID option to begin adding it to Duo.
    Choose Face ID/Touch ID Verification Method
  4. Read the Face ID (or Touch ID) information and tap Continue.
    Start Duo Passwordless Setup

  5. Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
    Android Device Verification
  6. When you receive confirmation that you added Face ID as a verification method click Continue.
    Face ID/Touch ID Added
  7. You've added Face ID or Touch ID as your passwordless login method. Tap Done.
    Passwordless Setup Complete

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Face ID

The next time you log into this Duo SSO application from the iPhone or iPad where you set up Face ID/Touch ID for passwordless login, you'll enter your username and then instead of entering your password you can choose Face ID/Touch ID to verify your identity. Tap Log in.

Duo Passwordless Face ID Login

Follow your device's prompt to use Face ID or Touch ID, just like you did when you set up Face ID/Touch ID in Duo.

Android Device Verification

Successful Face ID/Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Windows Hello

In order to use Windows Hello with Duo Passwordless, make sure you have the following:

  • A device running Windows 10 or later.
  • Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
  • A supported browser: Chrome, Edge, or Firefox. Refer to the Duo Passwordless browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

Set up Windows Hello

  1. Log into the Duo SSO application with your password and complete Duo authentication.
  2. Click or tap Continue to begin setting up passwordless login.
  3. Click or tap the Windows Hello option to begin adding it to Duo.
    Choose Windows Hello Verification Method
  4. Read the Windows Hello information and click or tap Continue.
    Start Duo Passwordless Setup

  5. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera.
    Windows Hello Verification

  6. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue.
    Windows Hello Added
  7. You've added Windows Hello as your passwordless login method. Tap Done.
    Passwordless Setup Complete

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Windows Hello

The next time you log into this Duo SSO application from the Windows system where you set up Windows Hello for passwordless login, you'll enter your username and then instead of entering your password you can choose Windows Hello to verify your identity. Click or tap Log in.

Duo Passwordless Face ID Login

Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition, just like you did when you set up Windows Hello in Duo.

Successful Windows Hello verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Android Biometrics

In order to use Android Biometrics with Duo Passwordless, make sure you have the following:

Set up Android Biometrics

  1. Log into the Duo SSO application with your password and complete Duo authentication.
  2. Tap Continue to begin setting up passwordless login.
  3. Tap the Device verification option to begin adding it to Duo.
    Choose Device Verification Method
  4. Read the device verification information and click or tap Continue.
    Start Duo Passwordless Setup

  5. Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.
    Android Device Verification

  6. When you receive confirmation that you added your Android device as a verification method tap Continue.
    Android Device Added
  7. You've added Android biometric device verification as your passwordless login method. Tap Done.
    Passwordless Setup Complete

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Android Biometrics

The next time you log into this Duo SSO application from the Android device where you set up biometric device verification for passwordless login, you'll enter your username and then instead of entering your password you can choose device verification to verify your identity. Tap Log in.

Duo Passwordless Device Verification Login

Follow your device's prompt to scan your fingerprint or use facial recognition, just like you did when you set up your Android device in Duo.

Successful Android device verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Security Keys

A security key is an external device that sends a signed response when tapped or pressed back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

Duo considers security keys to be roaming authenticators, meaning you can register your security key for passwordless on one computer, and then connect it to a different computer to use it for passwordless login for the same account. You could set up Duo Passwordless with a USB security key on your MacBook, and then plug that same USB security key into a Windows computer to log in to a Duo SSO application without typing your password.

To use a security key with Duo Passwordless, make sure you have the following:

  • A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options.
  • The security key must be a biometric key (i.e. a fingerprint reader), or must be configured with a PIN for FIDO2 use. Refer to your security key vendor's support information to learn how to configure a PIN for your security key, for example, this article from Yubico describes how to use and set PINs for YubiKey security keys.
  • A supported browser: Chrome, Safari, Firefox (excluding macOS), or Edge. Refer to the Duo Passwordless browser support table.

Set up Security Keys

Make sure that your security key's PIN or biometric verification works before trying to set it up in Duo. If your security key doesn't meet the requirements, you will need to close your browser tab or window to exit the setup process and start your login attempt again.

  1. Connect your FIDO2 security key to the device you'll use to log into a Duo SSO application.
  2. Log into the Duo SSO application with your password and complete Duo authentication.
  3. Click or tap Continue to begin setting up passwordless login.
  4. Click or tap the Security key option to begin adding it to Duo. You'll only see this option offered if your Duo administrator allows use of roaming passwordless authenticators.
    Start Duo Passwordless Setup
  5. Read the security key information and click Continue.
    Start Duo Passwordless Setup

  6. Enter your security key's PIN or perform biometric verification when prompted (Chrome example shown).
    Chrome Security Key Confirmation
  7. Tap the security key to complete verification (Chrome example shown).
    Chrome Security Key Confirmation
  8. When you receive confirmation that you added your security key as a verification method click or tap Continue.
    Security Key Added
  9. You've added a security key as your passwordless login method. Click Done.
    Passwordless Setup Complete

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Security Keys

The next time you log into this Duo SSO application — from the device where you set up your security key or another device where you connected that same security key — you'll enter your username and then instead of entering your password you can choose Security Keys to verify your identity.

Duo Passwordless Security Keys Login

Enter your security key's PIN or let the security key scan your fingerprint, just like you did when you set up Security Keys in Duo (Windows Edge example shown).

Windows Security Keys Prompt

Then, when prompted, tap the security key again to complete your passwordless login (Windows Edge example shown).

Windows Security Keys Prompt

Successful security key verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Log in From a Different Device or Browser

If you set up a platform authenticator for passwordless logins (like Touch ID or Windows Hello), that verification method is associated with that device. If you switch to a different access device, you will need to log in with your password. After completing Duo two-factor authentication on the second device, you can set up the platform authenticator on that new device for Duo Passwordless logins.

In some situations Duo Passwordless may think you are logging in from a different device when you use a different browser on the system where you already registered a platform authenticator (like if you set up Windows Hello from the Edge browser, but then switch to Firefox on the same computer). If this happens, Duo asks you if this is a new device (or new browser).

Duo Passwordless New Device with Platform Authenticator

If you are accessing the application from a new device, click or tap the Log in with a password button. Enter your SSO password and then you can set up passwordless login on the new device.

If you aren't accessing the application from a new device, click or tap the link to try your existing platform authenticator, such as Try Touch ID or Try Windows Hello. Follow the prompts to verify your identity with your previously registered platform authenticator, and Duo logs you into the application without a password.

Access Device Software Checks

Your Duo administrator may choose to warn you when your software is out of date, require software updates before allowing access, or even block access from devices that don't meet your organization's requirements.

Outdated Software

If the browser or operating system on the device you use to log into applications with Duo Passwordless fails your organization's health check, you'll see a notification prompting you to update your software.

Duo Outdated Browser Warning Notification

Click or tap See how to update for update instructions.

Duo Outdated Browser Update Information

If your organization's policy allows you to access the application without updating your software, you can click or tap Skip for now to continue without updating.

If your organization requires up-to-date software to access applications, you won't see an option to skip past the notification and must update your browser or operating system. When your software is up to date you can try logging into the application again.

Duo Outdated Operating System Blocked Notification

Blocked Software

If you try to access an application using an operating system or browser that your organization has blocked, you'll see a notification informing you that it isn't allowed.

Duo Software Blocked Notification

Click or tap See what is allowed for more details about which operating systems or browsers you may or may not use to access the application.

Duo Software Blocked Details