What is Risk-Based Authentication?

Authentication happens normally unless DUO determines an authentication attempt is unusual or higher risk through a combination of factors:

  • User marked fraud: A user has indicated they weren’t responsible for a login by marking it as suspicious in the Duo Mobile app.
  • Push harassment: A pattern of failed authentications is consistent with an adversary performing a targeted push harassment attack against a single user.
  • Push spray: A pattern of failed authentications is consistent with an adversary performing a non-targeted push attack against multiple users.
  • Unrealistic travel: A user attempts to authenticate from a new location that would be impossible to reach based on the past authentication time and location.
  • Country code mismatch: The authentication device and access device appear to be in two different countries.
  • Novel ASN: A user attempts to authenticate from an autonomous system number (ASN) not seen in the organization’s recent history of successful authentication.

If DUO detects a high-risk condition

The authentication will require a stronger second factor, typically a Verified Push, where you will need to enter the 6-digit number from the webpage into your DUO Mobile application. 

DUO Verified Push - Web PromptDUO Verified Push - DUO Mobile App prompt

What if I don’t use the Duo application?

The following factors may be used during a high-risk authentication if the app is not available:

  • Bypass codes – Bypass codes provided by the Help Desk
  • Roaming and platform authenticators – WebAuthn FIDO2 security keys with biometric or PIN verification, and authenticators or biometric sensors built into the device like Touch ID or Windows Hello
Tagged in: