Duo "Verified Push" is when you are prompted to enter three to six digits during the Duo MFA sign-in process. This typically occurs when a risk has been identified during authentication. https://duo.com/docs/policy#verified-push
What is Risk-Based Authentication?
Authentication happens normally, unless Duo determines an authentication attempt is unusual or higher risk through a combination of factors:
- Login location & Impossible Travel - (I.e. login from Nebraska & Italy in the same hour)
- User denying authentication repeatedly or reporting fraud
- Login from a new, unremembered device in combination with other factors
- Login to multiple user accounts from the same session
What does this look like?
If Duo detects a high risk condition, the authentication will require a stronger second factor (typically a Verified Push) where you will need to enter the 3-6 digit number from the webpage into your Duo Mobile application.
What if I don't use the Duo application?
The following factors may be used during a high risk authentication if the app is not available:
- Roaming Authenticators - FIDO2-compliant WebAuthn security keys (ex. Yubikeys)
- Platform Authenticator - Touch ID using compatible browsers (ex. Chrome or Edge)