Duo - Verified Push Risk-Based Authentication

Duo "Verified Push" is when you are prompted to enter three to six digits during the Duo MFA sign-in process. This typically occurs when a risk has been identified during authentication. https://duo.com/docs/policy#verified-push

What is Risk-Based Authentication?

Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:

• Login location & Impossible Travel - (I.e. login from Nebraska & Italy in the same hour)
• User denying authentication repeatedly or reporting fraud
• Login from a new, unremembered device in combination with other factors
• Login to multiple user accounts from the same session

What does this look like?

If Duo detects a high risk condition, the authentication will require a stronger second factor (typically a Verified Push) where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.

What if I don't use the Duo application?

The following factors may be used during a high risk authentication if the app is not available:

• Roaming Authenticators - FIDO2-compliant WebAuthn security keys (ex. Yubikeys)
• Platform Authenticator - Touch ID using compatible browsers (ex. Chrome or Edge)