What is Risk-Based Authentication?
Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:
- Logon location and impossible travel - such as logon from Idaho and Amsterdam in the same hour
- User denying authentication repeatedly, or reporting fraud
- Logon from a new, unremembered device in combination with other factors
- Logon to multiple user accounts from the same session
What does this look like?
If Duo detects a high risk condition, the authentication will require a stronger second factor, typically a Verified Push, where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.
What if I don't use the Duo application, but get a call or text message for verification?
The following factors may be used during a high risk authentication if the app is not available:
- Hardware token
- FIDO or WebauthN - including Apple fingerprint reader or Yubikey, if enrolled
- SMS code (if allowed for the user or application)
- Bypass code supplied by Local Support