Multifactor Authentication at Pitt

Overview

MFAPitt Passport, the University’s Single Sign-On service, delivers a consistent, trusted login experience across University services. Multifactor authentication, provided by Duo Security, adds another layer of security to Pitt Passport by requiring two “factors” to log in to a service: something you know (like your password) and something only you have (like your mobile phone on which you will receive a login confirmation notice).

Threats from phishing scams, malicious software, and compromised passwords are constantly increasing. These threats pose an immediate risk to your privacy and the security of University data. In response, the University has added multifactor authentication to all faculty and staff services that leverage the University’s single sign-on service, Pitt Passport. Multifactor authentication will be added to all student services that leverage Pitt Passport on May 14. In addition, the protection of multifactor authentication will also be required for student employees, resource accounts, guest wireless accounts, OSHER accounts, emeritus faculty, and visiting faculty. Alumni, applicants, and retired staff will not be required to use multifactor authentication at this time.

This means that when you access a service that prompts you to enter your username and password on the Pitt Passport login page, you will be prompted to complete the login process with multifactor authentication. Multifactor authentication is also required for students, faculty, and staff using the Secure Remote Access service (from the Pulse client, IPSec client, or legacy Network Connect client) to connect to University resources.      

Multifactor authentication is an additional layer of security designed to prevent unauthorized access to your information and University data, including confidential retirement account details, pay statements, or direct deposit information. It helps protect your privacy regardless of what type of device you use to access Pitt Passport services (for example, a desktop computer, laptop, tablet, or smartphone) and regardless of whether you access Pitt Passport services while connected to the University’s wired network, the University’s wireless network, or an external network. The University’s multifactor authentication solution provides several options for your second authentication factor, including options that enable you to use multifactor authentication when you are in an area without wireless access or cell phone service (see Frequently Asked Questions for details).

To use multifactor authentication, you must:

  1. Register a device (smartphone, tablet, non-smartphone)
    Log in to accounts.pitt.edu, click "Add/Manage Pitt Passport Devices", and complete the steps. (Expand Step 1 below for details.)
  2. Students Only: Enable multifactor authentication for all Pitt Passport services
    Log in to accounts.pitt.edu, click "Secure Pitt Passport Services", enable multifactor for all services, and click "Save". (Expand Step 2 below for details.)
  3. Log in using the device that you registered
    Log in to a service and select "Send Me a Push", "Call Me", or "Enter a Passcode". (Expand Step 3 below for details.)

If you need help registering, stop by one of our upcoming Quick Registration tables or contact the Technology Help Desk.

Benefits

Benefits

  • Secure: Hackers are constantly searching for ways to compromise passwords using malicious software, phishing scams, and other techniques. If your password is guessed, hacked, or stolen, it can jeopardize your private data as well as University data. Multifactor authentication adds a layer of security to your data by ensuring that your password alone cannot be used to access critical information and services.
  • EfficientWorried that multifactor authentication will be too time consuming to use? Don't be. You'll be surprised how quick and easy it is.      
  • Convenient: You can choose the multifactor authentication method that works best for you. Maybe you want to receive a login confirmation notice on your smartphone that you can simply tap to accept. Or maybe you prefer to receive a code via text message. Or maybe you want to receive a phone call. Whatever your preference, Pitt's multifactor authentication service has a solution.

Guidelines for Deciding What Type of Devices to Register

Guidelines for Deciding What Type of Devices to Register

You have the option to register a wide variety of devices to use with multifactor authentication. How do you know which device is the best fit? Consider these general guidelines:

  1. If you have a smartphone, enroll your smartphone for multifactor authentication and select “Send me a Push” when authenticating. A notification will be sent or "pushed" to your smartphone when you try to log in. Tap Approve to complete the login process.
  2. If you have a regular cell phone, then enroll your phone number for multifactor authentication and select either “Call Me” or “Enter a Passcode” when authenticating. “Call Me” will call your cell phone number and prompt you to press 1 to complete the login process. “Enter a Passcode” allows you to text a code to you cell phone, which you will then enter to complete the login process.
  3. If you don’t have a cell phone, enroll your office phone and/or home phone for multifactor authentication by completing the steps in “Register a Landline (Office Phone) below. Use “Call Me” when authenticating.
  4. If you do not have a cell phone or a home phone, then stop by the Technical Support Desk at the University Store on Fifth to discuss the use of a hardware token.

Step 1 (recommended): Register a Mobile Phone, Tablet, or Non-Smartphone

Step 1: Register a Mobile Phone, Tablet, or Non-Smartphone

It is recommended that you register a mobile phone for use with multifactor authentication. The instructions below explain how to register an Android phone. The process for registering an iPhone, Windows phone, or BlackBerry are very similar. You can also register a tablet or non-smartphone by following these steps. If you would like to register a landline (for example, an office phone), follow the instructions in the next section. 

1. Log in to accounts.pitt.edu with your University Computing Account username and password.

2. Click Add/Manage Pitt Passport Devices.
Add or Manage Devices

3. Click Start Setup.

Start Setup

Note: If you have already registered a device, the screen shown below will display in place of the "Start setup" screen. Click Add another device.

Add another device  

4. Select Mobile phone and click Continue. (To register a tablet, select Tablet.)   

Select device type

5. Enter your mobile phone number, verify it is the correct phone number by selecting the checkbox, and click Continue.

Enter phone number

6. Select the type of phone you are registering and click Continue.
Note for registering non-smartphones: If you are registering one of these devices, click Other and complete the remaining screens that display in the wizard.

Type of phone

7. Install the Duo Mobile App for your phone from the Pitt App Store, Google Play (Android devices), the Apple Store (iOS devices), or the Microsoft Store (Windows devices). When the app is installed, click I have Duo Mobile installed.  

Install Duo Mobile

8. Open the Duo Mobile app on your phone, tap the plus (+) sign on the app, and use your phone to scan the new barcode on your computer screen.
Note: A sample barcode example is shown below. Do not scan this barcode.

Scan barcode

9. Once the barcode has been scanned, the screen below will display on your mobile phone

Pitt account added

and the screen below will display on your computer. Click Continue.

Activate

10. Choose what you want to happen when you log in to a service that requires multifactor authentication. By default, you will be prompted to choose an authentication method. If you know you will always want to receive a "push" notification (i.e., an Approve/Deny confirmation screen that displays on your phone), you can save time by selecting "Automatically send this device a Duo Push." When you are finished, click Save.  

My settings

11. It is recommended that you register more than one smartphone, cell phone, tablet, or landline for multifactor authentication. That way, if you do not have your smartphone with you, you will still be able to log in using a tablet or landline. To register a second device, click Add another device on the screen above and follow the same steps.

Now that you have registered a device, proceed to step 2 if you are a student to enable multifactor authentication for all Pitt Passport services. When you log in to those services, you will be prompted to use multifactor authentication.  

Step 1 (alternative): Register a Landline (Office Phone)

Step 1: Register a Landline (Office Phone)

The steps below explain how to register a landline (for example, an office phone). It is recommend that you register a mobile phone for use with multifactor authentication. To do so, follow the instructions in the previous section. 

Notes

  • If you choose to use a landline, it must be an individual telephone registered to you. You may use your office phone, but you may not register a shared telephone.
  • If you plan to use a landline as your primary device, remember that you will need to have access to that specific phone whenever you want to log in to a service that is protected by multifactor authentication.  

1. Log in to accounts.pitt.edu with your University Computing Account username and password.

2. Click Add/Manage Pitt Passport Devices.

Add or Manage Devices

3. Click Start Setup.

Start Setup

Note: If you have already registered a device, the screen shown below will display in place of the "Start setup" screen. Click Add another device.

Add another device  

4. Select Landline and click Continue. (Keep in mind that a mobile phone is recommended.)  

Select landline

5. Enter the phone number, verify that it is the correct number by selecting the checkbox, and click Continue.

Enter your landline number

6. The landline will display in the list of devices you have registered. If you want to make your landline the primary device you use to log in with multifactor authentication, select it under the drop-down menu titled Default Device.

Landline added to registered devices

Now that you have registered a device, you will need to enable multifactor authentication for all Pitt Passport services. When you log in to those services, you will be prompted to use multifactor authentication.

Step 2 (Students Only): Enable Multifactor for All Pitt Passport Services

Step 2 (Students Only): Enable Multifactor for All Pitt Passport Services

Multifactor authentication is enabled by default for faculty and staff. Students need to enable multifactor authentication for all Pitt Passport services after registering a device. To do so:

1. Log in to accounts.pitt.edu with your University Computing Account username and password.

2. Click Secure Pitt Passport Services.

Secure your services

3. Select the option to enable multifactor authentication for all services and click Save.

4. After you click save, you will now be prompted to use multifactor authentication whenever you log in to a service through Pitt Passport.

Step 3: Log in Using Multifactor Authentication

Step 3: Log in Using Multifactor Authentication

After you have registered a device, you will be prompted to use your device whenever you log in to a protected service. The screen below will display when you attempt to log in. You can authenticate in one of three ways: 

  • Send Me a Push
  • Call Me
  • Enter a Passcode  

Note: If you have more than one device registered, you can click the Device drop-down menu to select the device you want to use to authenticate.

Authentication Options

Send Me a Push

If you select Send me a Push, a notification will be sent or "pushed" to your mobile phone or tablet. You simply need to tap Approve to complete the login process.

Push example

  • Important: If you receive a login request that you were not expecting, tap Deny to reject the request. You will be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it. You should only click Approve if you were expecting to receive a push notification because you were trying to log in to a service.       

Call Me

If you select Call Me, the authentication screen will indicate that it is calling your mobile phone or landline. Answer the call. If you were expecting the call, press 1 to complete the login process. If you were not expecting the call, press 9 to report it as fraudulent.

Note: If you are using a landline at UPMC Children's Hospital and are using the "Call Me" authentication option, you will need to press the # key, then 4, then 1 to approve the authentication request. To deny the authentication request, press the # key, then 4, then 9.

Call Me example

Enter a Passcode

If you select Enter a Passcode, the authentication screen will prompt you to enter a code (e.g., a series of numbers). If you do not have a code, click the Text me new codes button and a code will be sent to your mobile phone.

Text new codes

Enter the code in the green box and click Log In.

Log in with passcode

  • Tip: You can also generate a passcode at any time from within the Duo Mobile app. Just click the key icon next to the University of Pittsburgh account.

 Generate passcode within Duo

Set a Default Authentication Preference

Set a Default Authentication Preference 

If you always want to receive a push notification (or you always want to receive a phone call or enter a passcode), you can save time and set this as your default preference. To do so, complete these steps.

1. Log in to accounts.pitt.edu and click Add/Manage Pitt Passport Devices.

2. Select Send Me a Push, Call Me, or Enter a Passcode to authenticate with multifactor authentication.

Select an authentication method

3. Select your default authentication method from the When I log in: options and click Save.

Set your default preference

Add, Change, or Remove a Device

Add, Change, or Remove a Device 

If you need to make changes to the devices you have registered, complete the steps below.

Log in to accounts.pitt.edu and click Add/Manage Pitt Passport Devices.

Add or Manage Devices

Select Send Me a Push, Call Me, or Enter a Passcode to authenticate with multifactor authentication.

Select an authentication method

To add another device, click the +Add another device link and complete the steps in the registration wizard.

Add another device

To remove a device, click Device Options next to the device you want to remove and click the red trash can symbol.

Remove a device

To reactivate Duo Mobile on a device (for example, if you bought a new mobile phone but kept the same phone number), click the Reactivate Duo Mobile link and complete the steps.

Reactivate

To change the name of a device (for example, to name a device "John's iPhone"), click Device Options next to the device you want to modify, click Change Device name, enter a new name, and click Save.   

Change name

Multifactor and Secure Remote Access

Multifactor and Secure Remote Access 

If you use the University’s Secure Remote Access service, either through the recommended Pulse client or via the IPSec client, you will need to use multifactor authentication for your secure remote connections. This requirement affects all students, faculty, and staff who use the Secure Remote Access service.

Note that you must already have registered a device for multifactor authentication before you can complete the steps below.

Using MFA with the Pulse Client

1. Launch the Pulse client and open your preferred connection.

2. A new pre-sign in notification will display similar to the one shown below. This page explains your options for using multifactor authentication. Click Proceed.

Pulse Pre Sign-In Screen

3. Enter your username and password as you normally would and click Connect.

4. A new screen will display with a Secondary Password field for multifactor authentication.

Pulse Secondary Password

In the secondary password field, type either PUSH, a passcode you will generate, PHONE, or SMS. Here is how each option works:

    • A. Type Push and click Connect. Accept the Push notification on your smartphone or tablet. Note that you must have the Duo Mobile app installed on your smartphone or tablet (if you haven't already installed the app, you can download it from your device's app store).
    • B. Generate a passcode by tapping the key icon within the Duo Mobile app on your smartphone or tablet or by using your hardware token. Enter the passcode into the Secondary Password field and click Connect.

Duo Generate Key

  • C. Type phone in the Secondary Password field and click Connect. This will call the default phone number you registered for multifactor authentication. Answer the call and press 1.
  • D. Type sms in the Secondary Password field and click Connect. Your authentication attempt will fail, but you will receive a passcode on your registered device. Enter that passcode into the Secondary Password field on the Pulse screen with the "Credentials were invalid" message and click Connect again.

    Note: You can also add a number to the end of these factor names if you have more than one device registered. For example, PUSH2 will send a login request to your second phone, PHONE3 will call your third phone, and so forth.

Pulse failure

5. Your connection will be established.

Using MFA with the IPSec Client

These instructions assume you are already using the IPSec client on your computer. If you need assistance installing or configuring the IPSec client, refer to our instructions for Windows, Mac, or Linux before completing the steps below. 

Windows

1. Double click the Cisco IPSec Client  on your desktop, then select the VPN configuration from the Connection Entry list. The VPN connection entry list window will display.

2. Click the IPSec connection that you use under the Connection Entry column.

 

3. Click the Connect button.

4. Enter your University Computing Account username in the Username field.

5. In the password field, you have several options to authenticate with multifactor authentication: 

  • Type your password only. This will use the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password will automatically send a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process. 
  • If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone.  This will automatically call your registered device. Press 1 on your dialpad to authenticate.
  • If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
  • If you want to be sent a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt will fail and you will receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456. 

6. Click the OK button.

7. A VPN icon will display in your menu bar once the connection has been established.

8. Start the application that requires a secure connection, such as a database client or Web application.

Mac

1. Click the VPN icon in the menu bar. Select Connect PittNet VPN, where PittNet VPN is the name of the IPSec connection that you use.

 

2.  Enter your University Computing Account username. 

3. In the password field, you have several options to authenticate with multifactor authentication:

  • Type your password only. This will use the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password will automatically send a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process. 
  • If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone.  This will automatically call your registered device. Press 1 on your dialpad to authenticate.
  • If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
  • If you want to be sent a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt will fail and you will receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.

4. Click the OK button.

 

5.  A VPN icon will display in your menu bar once the connection has been established.

6.  Start the application that requires a secure connection, such as a database client or Web application.

Linux

Configure the Virtual Private Network Connection

  1. Use Yum or Aptitude-get to install “vpnc” by typing: $ sudo apt-get install vpnc
  2. Edit the configuration file by typing: $ sudo nano /etc/vpnc/pittvpn.conf
  3. Enter the following configuration settings:
    IPSec gateway vpn.pitt.edu
    IPSec ID <your department’s group name>
    IPSec secret <your department’s pre-shared text key>
    Xauth username <your University Computing Account username>

Establish a Secure Connection

  1. Type the following command: $ sudo vpnc pittvpn

Enter Your Password with Duo Multifactor Authentication

You will be presented with a password prompt. You have several options to authenticate with multifactor authentication:

  • Type your password only. This will use the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password will automatically send a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process. 
  • If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone.  This will automatically call your registered device. Press 1 on your dialpad to authenticate.
  • If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
  • If you want to be sent a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt will fail and you will receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.

Multifactor FAQ

Multifactor FAQ

Will I need to use multifactor authentication to log in to the workstation in my office?

  • No. Multifactor authentication is required only for services that leverage Pitt Passport, the University’s Single Sign-On service. You will not need to use multifactor authentication to log in to your workstation.

What do I do if I receive a push notification or phone call when I have not tried to log in to a service?

  • You should deny the request and report it to the Technology Help Desk at 412-624-HELP [4357]. Someone may have compromised your password and may be trying to use it to log in to services.

Should I register more than one smartphone, cell phone, tablet, or landline?

  • Yes. In addition to your primary smartphone or mobile device, you should register a second tablet, smartphone, cell phone, or landline so that you can still log in if you leave your primary device at home or lose it. For instance, you might register your mobile phone as your primary device and your landline (office phone) as your secondary device.

I sometimes stop receiving push notifications on Duo Mobile. Why?

  • You may have trouble receiving push requests if there are network issues between your phone and Duo’s service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests. If you experience issues receiving a Push request, try one of these steps to resolve it:
    • Turn your phone to airplane mode and back to normal operating mode again. This will often resolve the issue if there is a reliable internet connection available.
    • Turn off the WiFi connection on your device and try using the cellular data connection.
    • Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

    If these suggestions do not resolve the issue, please contact the Technology Help Desk at 412-624-HELP [4357] for assistance. If you need to authenticate in the meantime, you can open the Duo Mobile app and tap the key icon to generate a passcode. Log in to a Pitt Passport service, select “Enter a Passcode” when you are prompted to use multifactor authentication, and enter the passcode you generated.

What if I am in a location that does not have cell phone service or wireless access? Can I still use multifactor authentication?

  • Yes. If you have a smartphone, you can generate a passcode by opening the Duo app and tapping the key icon, even if you are in a location without cell phone service or wireless access. Cell phone service is required if you have a non-smartphone and want to use the SMS (text) or Call Me option to log in.

Once I log in to a Pitt Passport service with multifactor authentication, do I need to continue to use multifactor authentication every time I access another service that leverages Pitt Passport?

  • No. As long as you leave a Web browser open after you log in to a Pitt Passport service, then you should only be prompted to use multifactor authentication once every 12 hours. However, if you close your browser session (or if you access a Pitt Passport service from a different browser or different device), then you will be prompted to use multifactor authentication again.

What University services leverage Pitt Passport and therefore require multifactor authentication?

  • A growing number of University services are taking advantage of the security provided by the University’s single sign-on service, Pitt Passport. The list of enterprise services that use Pitt Passport includes, but is not limited to: My Pitt, Office 365 (including Exchange), CourseWeb, My Pitt Video (Panopto), the Student Information System (PeopleSoft), Prism, pitt.box.com, EZ Proxy, Pitt PS Mobile, the Account Management site (accounts.pitt.edu), PittPAY, Blackboard e-accounts, Career Development, Enterprise Lab Notebooks (Lab Archives), Docusign, Ask Cathy, Collegiate Link, PittSource, TIAA-CREF, lynda.pitt.edu, Parchment, Image Now, Suitable, Microsoft Imagine (formerly DreamSpark), PittServes Volunteer Portal, MyHealth OnLine, Tableau, Faculty Information System (Elements), the Pitt App Store, and Gartner.

What do I do if I don’t have my device with me and need to log in?

  • You should always register more than one device. If you do not have either device with you and you need to log in, call the Technology Help Desk at 412-624-HELP [4357] for assistance.

I got a new phone. What do I need to do to enable it for multifactor authentication?

  • If you get a new phone and you keep the same phone number, you will need to re-activate Duo Mobile on that phone (see the Add, Change, or Remove a device section for instructions). If you get a new phone with a different number, you will need to add it as a new device. You should remove the previous device if you are no longer using it. See the Add, Change, or Remove device section for instructions.

I lost my phone. What should I do?

  • If you have registered a second device, you should log in with that device and remove the device you have lost from your list of registered devices (see the Add, Change, or Remove a device section for instructions).

I do not have a smartphone or cell phone and I do not want to use my landline as my multifactor authentication device. What options are available to me?

  • If you do not have a device to use with multifactor authentication, you may obtain a hardware token. A hardware token is a physical device that generates a passcode when you press a button. The passcode can be used as your second factor of authentication. You will press a button on the hardware token to generate a passcode that can be entered on the login screen. To request a hardware token, contact the Technology Help Desk at 412-624-HELP [4357] or submit a request online. The Help Desk will explain where to pick up your hardware token. Note that you will need to pick up your hardware token in person and bring with you a valid form of identification.

I work in a location with a shared landline (for example, a lab). What options are available to me?

  • If you cannot register a smartphone or cell phone and you only have access to a shared landline, the best option is to obtain a hardware token to use with Duo multifactor authentication. Please refer to the previous question for details.

I am setting up multifactor authentication, but when I scan the barcode, I receive a message that says "Activation Link Expired". What should I do?

  • You will need to reactivate Duo Mobile on your device. To do so, log in to accounts.pitt.edu. You will need to use multifactor authentication on your second (backup) device to log in. If you do not have a second device registered for multifactor authentication, please call the Technology Help Desk at 412-624-HELP [4357] for assistance. When the multifactor authentication screen displays, click My Settings & Devices in the left-hand column, choose your secondary device, and choose an authentication method. Once you have successfully logged in, click Device Options next to the device you want to reactivate, and click Reactivate Duo Mobile. Complete the steps in the activation wizard to reactivate your device. 

Where can I find additional instructions and help documentation?

Tags: Multifactor authentication MFA Security Pitt Passport Single Sign-On