Upcoming Change
Starting September 12th Risk Based Authentication will only work with following methods:
- Duo Mobile
- FIDO or WebauthN - including Apple fingerprint reader or Yubikey, if enrolled
- Bypass code provided by your TSP or Duo admin
*Passcodes will no longer work.
Overview
Duo "Verified Push" is when you are prompted to enter 3 digits during the Duo MFA sign-in process. This typically occurs when a risk has been identified during authentication. https://duo.com/docs/policy#verified-push
Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:
- Logon location and impossible travel - such as logon from Idaho and Amsterdam in the same hour
- User denying authentication repeatedly, or reporting fraud
- Logon from a new, unremembered device in combination with other factors
- Logon to multiple user accounts from the same session
If Duo detects a high risk condition, the authentication will require a stronger second factor, typically a Verified Push, where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.
The following factors may be used during a high risk authentication if the app is not available:
- FIDO or WebauthN - including Apple fingerprint reader or Yubikey, if enrolled
- Bypass code provided by your TSP or Duo admin
After September 11, 2023 the following methods will not work for a high risk authentication:
- SMS passcodes
- Duo mobile passcodes
- Hardware tokens (fobs)