Which of the following is a two factor authentication that uses an enrolled device and Windows Hello?

With Duo Passwordless, you no longer have to remember or type in long, complex passwords when you access applications. Instead, you can log in with a single gesture, like scanning your fingerprint. Duo Passwordless uses removable security keys and biometric authenticators built into computers, phones, and tablets to secure access to your applications without passwords.

Contents

• About Duo Passwordless
• Supported Authenticators
• Supported Browsers
• Set up Duo Passwordless
• Set up Multiple Authenticator Types
• Duo Passwordless Login options
• Touch ID on a Mac
• Set up Touch ID
• Log in with Touch ID
• Face ID or Touch ID on an iPhone or iPad
• Set up Face ID/Touch ID
• Log in with Face ID/Touch ID
• Windows Hello
• Set up Windows Hello
• Log in with Windows Hello
• Android Biometrics
• Set up Android Biometrics
• Log in with Android Biometrics
• Security Keys
• Set up Security Keys
• Log in with Security Keys
• Log in From a Different Device or Browser
• Access Device Software Checks
• Outdated Software
• Blocked Software

About Duo Passwordless

Duo Passwordless works with applications that use Duo Single Sign-On (SSO). Instead of typing your password on the Duo SSO login page, you'll use your device to verify your identity.

If you change devices, access an application that doesn't use Duo Single Sign-On, or if the passwordless verification method isn't available when you are logging in to an application — such as if you forgot your registered security key or you've closed your laptop so you can't scan your fingerprint — then you will enter your password to log in to the application.

Supported Authenticators

Duo supports two types of passwordless authenticators:

• Platform authenticators: These are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics.

  When you set up one of these methods, it's effective only for the system where you set it up. If you were to set up Windows Hello to log in to Duo Passwordless on one computer, then switch to a different Windows computer, Windows Hello on the second computer won't log you in to Duo. You will need to use your username and password to log in on that second computer, and complete Duo two-factor authentication to access the application, or to set up Windows Hello for passwordless on the new computer.

• Roaming authenticators: These authentication devices are WebAuthn FIDO2 security keys with biometric or PIN verification, like those from Yubico or Feitian. They can move from one system you use to access services and applications protected by Duo to another, such as a USB security key you unplug from one laptop and plug into another.

Supported Browsers

Duo Passwordless supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), and Edge. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system.

Check the tables below for supported browser versions and Duo verification option compatibility. While other browsers may work with Duo Passwordless, Duo actively tests and supports the browser minimum versions listed in the tables.

Windows 10 and Later

1. Windows Hello is not supported in Chrome Incognito or Edge InPrivate browsing sessions.

macOS 11 and Later

1. Duo supports Touch ID in Safari for passwordless login, but not for two-factor authentication.
2. Firefox on macOS does not support Touch ID due to missing FIDO2 support.
3. Firefox on macOS cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

iOS/iPadOS 14.5 and Later

Android 10 and Later

1. Chrome on Android 10 and 11 cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.
2. Firefox on Android 10 and 11 does not support Android biometric enrollment.
3. Firefox on Android cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

Set up Duo Passwordless

When you log into a Duo Single Sign-On (Duo SSO) application that supports passwordless authentication, you will log in with your username and password, and complete Duo two-factor authentication. See the Duo Single Sign-On guide for an example.

After that, you'll see the "Tired of passwords?" invitation to set up Duo Passwordless. Click or tap Continue to set up passwordless login.

If you don't want to set up passwordless login now, click or tap Skip for now. Duo will finish logging you into your application. Duo will ask again if you want to set up passwordless authentication during future logins.

The options you see offered during Duo Passwordless setup depend on whether your organization allows use of platform authenticators (Touch ID, Windows Hello, etc.), roaming authenticators (security keys), or both.

In this example, the organization allows both kinds of passwordless devices. The user is accessing the application with Chrome on a MacBook, so the choices are to set up Touch ID or a security key.

In this example, the organization allows roaming authenticators but not platform authenticators, so the only option is to set up a security key.

Note that if your organization allows both types of authenticators but your access device doesn't have a supported platform authenticator you'll only see the security key option as well.

Set up Multiple Authenticator Types

If your organization allows both platform and roaming authenticators, you can set up both of them for your account (for example, if you want to be able to use either Windows Hello and a security key). However, Duo's self-service device management doesn't yet support registration of additional passwordless authenticators.

To set up both types of authenticators, you will need to go through the process of logging in with your password and setting up the authenticator twice — once for the platform authenticator and then once again for the security key. This is easiest if you first log in with your password and complete set up of your platform authenticator in a regular browser tab, and then open an incognito or private browser window and log in with your password again, this time completing set up of the security key.

Duo Passwordless Login options

Learn how to set up and log in with these Duo Passwordless identity verification methods.

• Touch ID on a Mac
• Face ID/Touch ID on an iPhone or iPad
• Windows Hello
• Android Biometrics
• Security Key

Touch ID on a Mac

In order to use Touch ID on macOS with Duo Passwordless, make sure you have the following:

• A Mac computer with a Touch ID button.
• A fingerprint enrolled in Touch ID (learn how to set up Touch ID on Mac at the Apple Support site).
• A recent version of Google Chrome or Safari. Other browsers on macOS are not supported.

Set up Touch ID

1. Log into the Duo SSO application with your password and complete Duo authentication.
2. Click Continue to begin setting up passwordless login.
3. Click the Touch ID option to begin adding it to Duo.
   
4. Read the Touch ID information and click Continue.
   
5. The browser prompts you to verify your identity on duosecurity.com when adding Touch ID (Chrome example shown).
   
   
   You may be prompted to enter your system password instead of tapping Touch ID if you haven't added your fingerprint to Touch ID on your Mac yet, or if you have your laptop closed so you can't access the Touch ID button. You can also choose to enter your system password.
6. Place your finger on the Touch ID button in the Touch Bar (or enter your system password) to complete Touch ID enrollment (Chrome example shown).
   
7. When you receive confirmation that you added Touch ID as a verification method click Continue.
   
8. You've added Touch ID as your passwordless login method. Click Done.
   

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Touch ID

The next time you log into this Duo SSO application from the Mac computer where you set up Touch ID for passwordless login, you'll enter your username and then — instead of entering your password — you can choose Touch ID to verify your identity.

Place your finger on the Touch ID button in the Touch Bar to complete logging in to the application, as you did when you set up Touch ID in Duo.

Successful Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Face ID or Touch ID on an iPhone or iPad

In order to use Face ID or Touch ID on an iPhone or iPad with Duo Passwordless, make sure you have the following:

• An iPhone or iPad that supports Face ID or Touch ID.
• Face ID or Touch ID already set up on the iPhone or iPad. Learn how to set up Face ID or set up Touch ID at the Apple Support site.

Depending on the option your device supports, you'll either scan your face to use Face ID during setup and while logging in, or you'll scan your fingerprint instead to use Touch ID.

Set up Face ID/Touch ID

1. Log into the Duo SSO application with your password and complete Duo authentication.
2. Tap Continue to begin setting up passwordless login.
3. Tap the Face ID/Touch ID option to begin adding it to Duo.
   
4. Read the Face ID (or Touch ID) information and tap Continue.
   
5. Follow your device's instructions for scanning your face to complete Face ID verification or scan your fingerprint for Touch ID verification.
   
6. When you receive confirmation that you added Face ID as a verification method click Continue.
   
7. You've added Face ID or Touch ID as your passwordless login method. Tap Done.
   

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Face ID

The next time you log into this Duo SSO application from the iPhone or iPad where you set up Face ID/Touch ID for passwordless login, you'll enter your username and then instead of entering your password you can choose Face ID/Touch ID to verify your identity. Tap Log in.

Follow your device's prompt to use Face ID or Touch ID, just like you did when you set up Face ID/Touch ID in Duo.

Successful Face ID/Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Windows Hello

In order to use Windows Hello with Duo Passwordless, make sure you have the following:

• A device running Windows 10 or later.
• Windows Hello set up on the device for signing in with a PIN, fingerprint, or facial recognition. Learn how to set up Windows Hello at the Microsoft support site.
• A supported browser: Chrome, Edge, or Firefox. Refer to the Duo Passwordless browser support table. Note that Chrome Incognito and Edge InPrivate browsing won't work with Windows Hello, but will work with Security Keys.

Set up Windows Hello Log into the Duo SSO application with your password and complete Duo authentication.Click or tap Continue to begin setting up passwordless login.Click or tap the Windows Hello option to begin adding it to Duo. Read the Windows Hello information and click or tap Continue. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue. You've added Windows Hello as your passwordless login method. Tap Done. After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Windows Hello

The next time you log into this Duo SSO application from the Windows system where you set up Windows Hello for passwordless login, you'll enter your username and then instead of entering your password you can choose Windows Hello to verify your identity. Click or tap Log in.

Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition, just like you did when you set up Windows Hello in Duo.

Successful Windows Hello verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Android Biometrics

In order to use Android Biometrics with Duo Passwordless, make sure you have the following:

• An Android device that supports biometrics, like fingerprint or face unlock.
• Facial or fingerprint unlock set up on that device. Go to Settings → Security to change your unlock settings. Refer to the Google support articles Unlock your Pixel phone with your fingerprint and Unlock your Pixel phone with your face, the Samsung articles Set up and use the fingerprint sensor on your Galaxy phone and Use Facial recognition security on your Galaxy phone, or your device manufacturer's support site for examples of how to do this.

Set up Android Biometrics

1. Log into the Duo SSO application with your password and complete Duo authentication.
2. Tap Continue to begin setting up passwordless login.
3. Tap the Device verification option to begin adding it to Duo.
   
4. Read the device verification information and click or tap Continue.
   
5. Follow the Android instructions to verify your identity by scanning your fingerprint or pointing your face to your camera. If you aren't able to do either of those biometric checks, you can enter your Android PIN.
   
6. When you receive confirmation that you added your Android device as a verification method tap Continue.
   
7. You've added Android biometric device verification as your passwordless login method. Tap Done.
   

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Android Biometrics

The next time you log into this Duo SSO application from the Android device where you set up biometric device verification for passwordless login, you'll enter your username and then instead of entering your password you can choose device verification to verify your identity. Tap Log in.

Follow your device's prompt to scan your fingerprint or use facial recognition, just like you did when you set up your Android device in Duo.

Successful Android device verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Security Keys

A security key is an external device that sends a signed response when tapped or pressed back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

Duo considers security keys to be roaming authenticators, meaning you can register your security key for passwordless on one computer, and then connect it to a different computer to use it for passwordless login for the same account. You could set up Duo Passwordless with a USB security key on your MacBook, and then plug that same USB security key into a Windows computer to log in to a Duo SSO application without typing your password.

To use a security key with Duo Passwordless, make sure you have the following:

• A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options.
• The security key must be a biometric key (i.e. a fingerprint reader), or must be configured with a PIN for FIDO2 use. Refer to your security key vendor's support information to learn how to configure a PIN for your security key, for example, this article from Yubico describes how to use and set PINs for YubiKey security keys.
• A supported browser: Chrome, Safari, Firefox (excluding macOS), or Edge. Refer to the Duo Passwordless browser support table.

Set up Security Keys

Make sure that your security key's PIN or biometric verification works before trying to set it up in Duo. If your security key doesn't meet the requirements, you will need to close your browser tab or window to exit the setup process and start your login attempt again.

1. Connect your FIDO2 security key to the device you'll use to log into a Duo SSO application.
2. Log into the Duo SSO application with your password and complete Duo authentication.
3. Click or tap Continue to begin setting up passwordless login.
4. Click or tap the Security key option to begin adding it to Duo. You'll only see this option offered if your Duo administrator allows use of roaming passwordless authenticators.
   
5. Read the security key information and click Continue.
   
6. Enter your security key's PIN or perform biometric verification when prompted (Chrome example shown).
   
7. Tap the security key to complete verification (Chrome example shown).
   
8. When you receive confirmation that you added your security key as a verification method click or tap Continue.
   
9. You've added a security key as your passwordless login method. Click Done.
   

After completing Duo Passwordless setup you proceed to your application as a logged-in user.

Log in with Security Keys

The next time you log into this Duo SSO application — from the device where you set up your security key or another device where you connected that same security key — you'll enter your username and then instead of entering your password you can choose Security Keys to verify your identity.

Enter your security key's PIN or let the security key scan your fingerprint, just like you did when you set up Security Keys in Duo (Windows Edge example shown).

Then, when prompted, tap the security key again to complete your passwordless login (Windows Edge example shown).

Successful security key verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user.

Log in From a Different Device or Browser

If you set up a platform authenticator for passwordless logins (like Touch ID or Windows Hello), that verification method is associated with that device. If you switch to a different access device, you will need to log in with your password. After completing Duo two-factor authentication on the second device, you can set up the platform authenticator on that new device for Duo Passwordless logins.

In some situations Duo Passwordless may think you are logging in from a different device when you use a different browser on the system where you already registered a platform authenticator (like if you set up Windows Hello from the Edge browser, but then switch to Firefox on the same computer). If this happens, Duo asks you if this is a new device (or new browser).

If you are accessing the application from a new device, click or tap the Log in with a password button. Enter your SSO password and then you can set up passwordless login on the new device.

If you aren't accessing the application from a new device, click or tap the link to try your existing platform authenticator, such as Try Touch ID or Try Windows Hello. Follow the prompts to verify your identity with your previously registered platform authenticator, and Duo logs you into the application without a password.

Access Device Software Checks

Your Duo administrator may choose to warn you when your software is out of date, require software updates before allowing access, or even block access from devices that don't meet your organization's requirements.

Outdated Software

If the browser or operating system on the device you use to log into applications with Duo Passwordless fails your organization's health check, you'll see a notification prompting you to update your software.

Click or tap See how to update for update instructions.

If your organization's policy allows you to access the application without updating your software, you can click or tap Skip for now to continue without updating.

If your organization requires up-to-date software to access applications, you won't see an option to skip past the notification and must update your browser or operating system. When your software is up to date you can try logging into the application again.

Blocked Software

If you try to access an application using an operating system or browser that your organization has blocked, you'll see a notification informing you that it isn't allowed.

Click or tap See what is allowed for more details about which operating systems or browsers you may or may not use to access the application.

Is Windows 2 factor authentication Hello?

What are examples of two

What are the two factors used in two