| Has your organization enabled the new Universal Prompt experience? See the Universal Prompt guide for more information and instructions. |  |
Use Apple Touch ID with the Traditional Duo Prompt
With Touch ID on macOS, you can have secure Duo login approvals resistant to phishing attacks combined with the one-touch convenience you're already used to with Duo Push.
Contents
Touch ID Requirements
Support for Touch ID authentication is limited to web applications that show Duo's inline browser prompt.
In order to use Touch ID with Duo, make sure you have the following:
- A MacBook Pro or MacBook Air with a Touch ID button.
- A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
- Chrome 70 or later. While Duo Passwordless supports Touch ID in Safari, use of Touch ID for two-factor authentication in Safari and additional browsers on macOS is not available today.
You must use a normal Chrome browsing window for Touch ID enrollment or authentication. Duo can't use Touch ID in an Incognito window.
Additionally, your administrator must enable the use of Touch ID in Duo. Check with your organization's support team or help desk to verify that Touch ID is allowed if you are uncertain.
Video Overview of Touch ID and Duo
Learn how to enroll Touch ID in Duo and use it for authentication.
Enrolling Touch ID
You can enroll Touch ID during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add Touch ID as an additional authentication device from the device management portal.
If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to enroll each of them separately as a new Touch ID device in Duo.
Initial Enrollment with Touch ID
Access the Duo enrollment page via a link emailed by your administrator, or when you log in for the first time to a Duo protected resource. Select Touch ID from the list of devices and then click Continue.
Make sure that you're not blocking pop-up windows for the enrollment site before continuing with Touch ID.
When enrolling Touch ID, you'll be prompted to tap to enroll Touch ID. You may also be asked if you want to allow Duo to access information about Touch ID (click Allow if prompted).
The Touch ID enrollment window prompts you to tap the Touch ID button for approval.
Place your finger on the Touch ID button in the Touch Bar.
You'll see whether the Touch ID identification was successful or not.
Congratulations! You have enrolled Touch ID.
Adding Touch ID From the Duo Prompt
If you previously enrolled other devices in Duo, you can easily add Touch ID as an additional authenticator as long as your administrator has enabled Duo's self-service portal.
Navigate to your Duo-protected service and log in. At the Duo Prompt you'll see an Add a new device link on the left. Click it and approve the Duo login request using your already enrolled phone or other device.
Proceed with the Touch ID enrollment process as shown above in Initial Enrollment with Touch ID.
You've added Touch ID as an authentication device! It is listed with your other enrolled devices.
Authenticating with Touch ID
The next time you log on using Duo with Chrome, you can select Touch ID from the drop-down list of your authentication devices.
Once you select Touch ID from the list, click Use Touch ID.
Touch your Mac's Touch ID sensor when prompted to log in to the application. If you aren't able to access the Touch ID sensor (such as when you close and dock your laptop), then you can choose to type in your Mac login password instead to verify.