Skip to main content

Cornell University

IT@Cornell

Use Windows Hello for Duo Two-Step Login

This article applies to: Two-Step Login

Windows Hello can be used as an additional Two-Step Login (Duo) authentication method for web-based logins in case your primary method—Duo Mobile push, USB security key, or hardware token—is unavailable, or in case you just want a more secure passkey method.

When Windows Hello is set up as a Duo authentication method, it will be specific to the device and browser used to set it up. It will need to be set up separately for use with other devices (even those also running Windows) or other browsers.

Also, Windows Hello cannot be used to authenticate in Chrome Incognito or Microsoft Edge InPrivate browsing.

Before registering Windows Hello with Duo, make sure that:

  • The device is running Windows 10 or 11

  • The device supports PIN, fingerprint, or facial recognition (not all PCs do)

  • The latest version of Chrome, Edge, or Firefox

  • An active Cornell Two-Step Login (Duo) account

Enable Windows Hello on your Windows device

Faculty and staff may have already set up Windows Hello as part of the setup for Secure Connect. They can skip to the next section, Add Windows Hello to Your Duo Account, below.

For information from Microsoft about setting up Windows Hello, visit Configure Windows Hello.

If Windows Hello has not already been set up on a device:

  1. On your Windows device, select the Windows Start menu (windowpane icon), then Settings (gear icon).
  2. Select Accounts, then Sign-in options.
  3. Under Ways to sign in, select one of the available options (“Windows Hello” will be shown after the option name). If your device does not support an option, it may not appear in the list.
    • Fingerprint recognition (Windows Hello)
    • Facial recognition (Windows Hello)
    • PIN (Windows Hello)
  4. Select Set Up, then follow the prompts and instructions to set up the option chosen.

Add Windows Hello to Your Duo Account

If you have Windows Hello set up on a Windows 10 or 11 device and an active Two-Step Login (Duo) account:

  1. Go to Manage Your Two-Step Login. Log in with your Cornell credentials and authenticate as required with your existing Duo method.
  2. Select Manage Devices to open the Duo device management portal. Authenticate once more as required.
You can also get to the Duo device management portal from a Duo browser prompt by selecting Other options, then Manage devices.

  1. On the Duo  device management site, select Add a device.

    Duo device management showing Add Device panel

  2. Select Windows Hello from the list.

    Duo device management showing Add a Device dialogue and Windows Hello listing highlighted

  3. At the Set up Windows Hello prompt, select Continue.

    Duo device management site with Set Up Windows Hello dialogue shown and blue Continue button highlighted

  4. At the Choose where to save your passkey for duosecurity.com prompt, select Windows Hello.

    Windows passkey save dialogue with Windows Hello selection highlighted

  5. Scan your fingerprint when prompted by Windows Security.

    Windows security dialogue requesting user scan fingerprint
  6. Windows will confirm your passkey has been saved. Select OK.

  7. Duo will confirm that Windows Hello has been added as an authentication method.

    Duo Added Windows Hello confirmation dialog with Continue button shown
  8. Select Continue to return to the device management page. Close the browser.

After you have set up Windows Hello, when you are prompted to use Windows Hello by Duo but would like to use a different method, click Other Options in the browser Duo prompt for a list of your available methods.

  • Be aware that the Windows Hello method does not support CUVPN, RDP, or SSH authentication.
  • You must set up Windows Hello per browser. If you set it up in Chrome, it won’t automatically work in Firefox or Edge.
  • Windows Hello only works on the device where it was registered.
  • It is a good idea to set up multiple Duo authentication methods (e.g., Duo Mobile app, hardware token, USB security key) in case Windows Hello is unavailable.

 

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.