Duo Verified Push and Risk Based Authentication

Tags duo mfa duo-mfa

What is Risk-Based Authentication?

Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:

  • Logon location and impossible travel - such as logon from Idaho and Amsterdam in the same hour
  • User denying authentication repeatedly, or reporting fraud
  • Logon from a new, unremembered device in combination with other factors
  • Logon to multiple user accounts from the same session

What does this look like?

If Duo detects a high risk condition, the authentication will require a stronger second factor, typically a Verified Push, where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.  

Web Page display numberDuo Mobile verification prompt


What if I don't use the Duo application, but get a call or text message for verification?

The following factors may be used during a high risk authentication if the app is not available:

  • Hardware token
  • FIDO or WebauthN - including Apple fingerprint reader or Yubikey, if enrolled
  • SMS code (if allowed for the user or application)
  • Bypass code supplied by Local Support


Article ID: 2368
Wed 11/2/22 11:25 AM
Wed 11/9/22 9:27 AM

Related Articles (2)

Information on DUO tokens
This is a tutorial for how to add and manage your Duo devices.