Duo Verified Push & Risk Based Authentication

Duo "Verified Push" is when you are prompted to enter three to six digits during the Duo MFA sign-in process. This typically occurs when a risk has been identified during authentication. https://duo.com/docs/policy#verified-push

What is Risk-Based Authentication?

Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:

  • Login location & Impossible Travel - (I.e.┬álogin from Nebraska & Italy in the same hour)
  • User denying authentication repeatedly or reporting fraud
  • Login from a new, unremembered device in combination with other factors
  • Login to multiple user accounts from the same session

What does this look like?

If Duo detects a high risk condition, the authentication will require a stronger second factor (typically a Verified Push) where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.

Duo Screenshot Small

What if I don't use the Duo application?

The following factors may be used during a high risk authentication if the app is not available:

  • Roaming Authenticators - FIDO2-compliant WebAuthn security keys (ex. Yubikeys)
  • Platform Authenticator - Touch ID using compatible browsers (ex. Chrome or Edge)