Which of the following is a two factor authentication that uses an enrolled device and Windows Hello?
With Duo Passwordless, you no longer have to remember or type in long, complex passwords when you access applications. Instead, you can log in with a single gesture, like scanning your fingerprint. Duo Passwordless uses removable security keys and biometric authenticators built into computers, phones, and tablets to secure access to your applications without passwords. Show
Contents
About Duo PasswordlessDuo Passwordless works with applications that use Duo Single Sign-On (SSO). Instead of typing your password on the Duo SSO login page, you'll use your device to verify your identity. If you change devices, access an application that doesn't use Duo Single Sign-On, or if the passwordless verification method isn't available when you are logging in to an application — such as if you forgot your registered security key or you've closed your laptop so you can't scan your fingerprint — then you will enter your password to log in to the application. Supported AuthenticatorsDuo supports two types of passwordless authenticators:
Supported BrowsersDuo Passwordless supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), and Edge. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system. Check the tables below for supported browser versions and Duo verification option compatibility. While other browsers may work with Duo Passwordless, Duo actively tests and supports the browser minimum versions listed in the tables. Windows 10 and Later
macOS 11 and Later
iOS/iPadOS 14.5 and Later
Android 10 and Later
Set up Duo PasswordlessWhen you log into a Duo Single Sign-On (Duo SSO) application that supports passwordless authentication, you will log in with your username and password, and complete Duo two-factor authentication. See the Duo Single Sign-On guide for an example. After that, you'll see the "Tired of passwords?" invitation to set up Duo Passwordless. Click or tap Continue to set up passwordless login. If you don't want to set up passwordless login now, click or tap Skip for now. Duo will finish logging you into your application. Duo will ask again if you want to set up passwordless authentication during future logins. The options you see offered during Duo Passwordless setup depend on whether your organization allows use of platform authenticators (Touch ID, Windows Hello, etc.), roaming authenticators (security keys), or both. In this example, the organization allows both kinds of passwordless devices. The user is accessing the application with Chrome on a MacBook, so the choices are to set up Touch ID or a security key. In this example, the organization allows roaming authenticators but not platform authenticators, so the only option is to set up a security key. Note that if your organization allows both types of authenticators but your access device doesn't have a supported platform authenticator you'll only see the security key option as well. Set up Multiple Authenticator TypesIf your organization allows both platform and roaming authenticators, you can set up both of them for your account (for example, if you want to be able to use either Windows Hello and a security key). However, Duo's self-service device management doesn't yet support registration of additional passwordless authenticators. To set up both types of authenticators, you will need to go through the process of logging in with your password and setting up the authenticator twice — once for the platform authenticator and then once again for the security key. This is easiest if you first log in with your password and complete set up of your platform authenticator in a regular browser tab, and then open an incognito or private browser window and log in with your password again, this time completing set up of the security key. Duo Passwordless Login optionsLearn how to set up and log in with these Duo Passwordless identity verification methods.
Touch ID on a MacIn order to use Touch ID on macOS with Duo Passwordless, make sure you have the following:
Set up Touch ID
After completing Duo Passwordless setup you proceed to your application as a logged-in user. Log in with Touch IDThe next time you log into this Duo SSO application from the Mac computer where you set up Touch ID for passwordless login, you'll enter your username and then — instead of entering your password — you can choose Touch ID to verify your identity. Place your finger on the Touch ID button in the Touch Bar to complete logging in to the application, as you did when you set up Touch ID in Duo. Successful Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user. Face ID or Touch ID on an iPhone or iPadIn order to use Face ID or Touch ID on an iPhone or iPad with Duo Passwordless, make sure you have the following:
Depending on the option your device supports, you'll either scan your face to use Face ID during setup and while logging in, or you'll scan your fingerprint instead to use Touch ID. Set up Face ID/Touch ID
After completing Duo Passwordless setup you proceed to your application as a logged-in user. Log in with Face IDThe next time you log into this Duo SSO application from the iPhone or iPad where you set up Face ID/Touch ID for passwordless login, you'll enter your username and then instead of entering your password you can choose Face ID/Touch ID to verify your identity. Tap Log in. Follow your device's prompt to use Face ID or Touch ID, just like you did when you set up Face ID/Touch ID in Duo. Successful Face ID/Touch ID verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user. Windows HelloIn order to use Windows Hello with Duo Passwordless, make sure you have the following:
Set up Windows Hello Log into the Duo SSO application with your password and complete Duo authentication.Click or tap Continue to begin setting up passwordless login.Click or tap the Windows Hello option to begin adding it to Duo. Read the Windows Hello information and click or tap Continue. Follow the Windows Hello instructions to verify your identity by entering your PIN, scanning your fingerprint, or pointing your face to your camera. When you receive confirmation that you added Windows Hello as a verification method click or tap Continue. You've added Windows Hello as your passwordless login method. Tap Done. After completing Duo Passwordless setup you proceed to your application as a logged-in user.Log in with Windows HelloThe next time you log into this Duo SSO application from the Windows system where you set up Windows Hello for passwordless login, you'll enter your username and then instead of entering your password you can choose Windows Hello to verify your identity. Click or tap Log in. Follow your device's prompt to enter your Windows Hello PIN, scan your fingerprint, or use facial recognition, just like you did when you set up Windows Hello in Duo. Successful Windows Hello verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user. Android BiometricsIn order to use Android Biometrics with Duo Passwordless, make sure you have the following:
Set up Android Biometrics
After completing Duo Passwordless setup you proceed to your application as a logged-in user. Log in with Android BiometricsThe next time you log into this Duo SSO application from the Android device where you set up biometric device verification for passwordless login, you'll enter your username and then instead of entering your password you can choose device verification to verify your identity. Tap Log in. Follow your device's prompt to scan your fingerprint or use facial recognition, just like you did when you set up your Android device in Duo. Successful Android device verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user. Security KeysA security key is an external device that sends a signed response when tapped or pressed back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2". Duo considers security keys to be roaming authenticators, meaning you can register your security key for passwordless on one computer, and then connect it to a different computer to use it for passwordless login for the same account. You could set up Duo Passwordless with a USB security key on your MacBook, and then plug that same USB security key into a Windows computer to log in to a Duo SSO application without typing your password. To use a security key with Duo Passwordless, make sure you have the following:
Set up Security KeysMake sure that your security key's PIN or biometric verification works before trying to set it up in Duo. If your security key doesn't meet the requirements, you will need to close your browser tab or window to exit the setup process and start your login attempt again.
After completing Duo Passwordless setup you proceed to your application as a logged-in user. Log in with Security KeysThe next time you log into this Duo SSO application — from the device where you set up your security key or another device where you connected that same security key — you'll enter your username and then instead of entering your password you can choose Security Keys to verify your identity. Enter your security key's PIN or let the security key scan your fingerprint, just like you did when you set up Security Keys in Duo (Windows Edge example shown). Then, when prompted, tap the security key again to complete your passwordless login (Windows Edge example shown). Successful security key verification logs you in without entering a password, and Duo SSO sends you to the application as a logged in user. Log in From a Different Device or BrowserIf you set up a platform authenticator for passwordless logins (like Touch ID or Windows Hello), that verification method is associated with that device. If you switch to a different access device, you will need to log in with your password. After completing Duo two-factor authentication on the second device, you can set up the platform authenticator on that new device for Duo Passwordless logins. In some situations Duo Passwordless may think you are logging in from a different device when you use a different browser on the system where you already registered a platform authenticator (like if you set up Windows Hello from the Edge browser, but then switch to Firefox on the same computer). If this happens, Duo asks you if this is a new device (or new browser). If you are accessing the application from a new device, click or tap the Log in with a password button. Enter your SSO password and then you can set up passwordless login on the new device. If you aren't accessing the application from a new device, click or tap the link to try your existing platform authenticator, such as Try Touch ID or Try Windows Hello. Follow the prompts to verify your identity with your previously registered platform authenticator, and Duo logs you into the application without a password. Access Device Software ChecksYour Duo administrator may choose to warn you when your software is out of date, require software updates before allowing access, or even block access from devices that don't meet your organization's requirements. Outdated SoftwareIf the browser or operating system on the device you use to log into applications with Duo Passwordless fails your organization's health check, you'll see a notification prompting you to update your software. Click or tap See how to update for update instructions. If your organization's policy allows you to access the application without updating your software, you can click or tap Skip for now to continue without updating. If your organization requires up-to-date software to access applications, you won't see an option to skip past the notification and must update your browser or operating system. When your software is up to date you can try logging into the application again. Blocked SoftwareIf you try to access an application using an operating system or browser that your organization has blocked, you'll see a notification informing you that it isn't allowed. Click or tap See what is allowed for more details about which operating systems or browsers you may or may not use to access the application. Is Windows 2 factor authentication Hello?In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
What are examples of twoUsing two knowledge factors like a password and a PIN is two-step authentication. Using two different factors like a password and a one-time passcode sent to a mobile phone via SMS is two-factor authentication.
What are the two factors used in twoThe user has provided two factors of authentication: The password is the knowledge factor, and the YubiKey is the possession factor.
|