Duo can notify users about changes to their account, such as when authentication devices are added or removed. These notifications are in the form of email/Duo mobile prompt and ask the user if they made the change. This would alert them if a bad actor compromised their account and silently attempted to make devices changes to reroute 2fa protocols.
Use case: User completes Duo device enrollment process via TrueYou Self Service
Action: User receives welcome verification email from no-reply@duosecurity.com
*Example of email notification
Use case: Admin creates Bypass Code
Action: No email or app notification sent from Duo
Use case: Mobile Device, Tablet, Security Key added via TrueYou Self Service
Action: Email sent from no-reply@duosecurity.com and/or In-App notification
*Example of email notification
*Example of In-App Notification
Use case: Mobile Device, Tablet, Security Key removed via TrueYou Self Service
Action: Email sent from no-reply@duosecurity.com and/or In-App notification
*Example of email notification
.
*Example of In-App Notification
*Note: If a security key is the only device associated with a Duo account, then only an email will be sent.
If the user did make the change and receive the email, the user has no further actions necessary. If the user did make the change and receive the in app notification, they should click "yes, it was me" and they'll receive a "thanks for confirming message".
*Example of In-App Notification
If they did not make the change, they can click or tap “No, it wasn't me” in the message. This sends an email notification to the recipients configured in the Duo "notification email" setting in the "Lockout and Fraud" section. Below is an example of the email sent to Duo Admins. This does not appear as a security event in the trust monitor.
*Example of email notification