What is Risk-Based Authentication?

Authentication happens normally unless DUO determines an authentication attempt is unusual or higher risk through a combination of factors:

  • Logon location and impossible travel – such as login from Idaho and Amsterdam in the same hour
  • Users denying authentication repeatedly or reporting fraud
  • Login to multiple user accounts from the same session
  • Logon from a new, unremembered device in combination with other factors

If DUO detects a high-risk condition

The authentication will require a stronger second factor, typically a Verified Push, where you will need to enter the 6-digit number from the webpage into your DUO Mobile application. 

DUO Verified Push - Web PromptDUO Verified Push - DUO Mobile App prompt

What if I don’t use the Duo application?

The following factors may be used during a high-risk authentication if the app is not available:

  • Bypass codes – Bypass codes provided by the Help Desk
  • Roaming and platform authenticators – WebAuthn FIDO2 security keys with biometric or PIN verification, and authenticators or biometric sensors built into the device like Touch ID or Windows Hello
Tagged in: