Attackers continually exploit a wide range of techniques to compromise accounts and fraudulently authenticate. Duo’s Risk-Based Authentication automatically detects and mitigates commonly-known attack patterns and high-risk anomalies. By targeting mitigation only to risky authentication attempts, Duo provides a higher level of security without compromising end-user experience.
Risk Based Authentication consists of two key capabilities: Risk-Based Factor Selection and Risk-Based Remembered Devices.
Duo Premier and Duo Advantage customers can deploy Risk-Based Authentication by applying Duo policies to specific applications or groups of users to further enhance security and automatically detect and mitigate threats to access.
Duo Risk-Based Factor Selection analyzes authentication requests and adaptively enforces the most secure factors in response to risk. It continuously adapts its understanding of normal user behavior and identifies patterns of activity consistent with an attack.
When a known attack pattern or anomaly is detected, the user is permitted to authenticate using only the most secure factors. This authentication with restricted factors is known as a "step-up authentication".
For example, if Duo Push is enabled in the authentication methods policy for a web application, a step-up authentication will only permit access after completing a verified Duo Push in the Universal Prompt.
If step-up authentication fails, or the user marks the attempt as fraudulent in their mobile application, all transactions are recorded and available to administrators and security professionals in the authentication logs.
If the user completes one secure authentication — either via a more secure factor or with a bypass code received from a Duo administrator — they may resume authenticating using any of the factors generally available to them.
To assess risk, Duo Risk-Based Factor Selection considers the history of authentication activity from a single user or for a collection of users who have authenticated from an IP address. Depending upon the risk pattern, the algorithm may consider the time of authentication, the application's client ID or integration key, IP geolocation, or Wi-Fi Fingerprint provided by Duo Desktop.
Duo Risk-Based Factor Selection considers the following risk patterns:
Risk is assessed both in real time at the initiation of an authentication attempt and retrospectively after an authentication has failed. Once a risky pattern of activity is identified, step-up authentication will be required until the user successfully completes one secure authentication.
Duo Risk-Based Factor Selection works with existing authentication methods policy for web-based applications that show the Duo Universal Prompt and for the Duo Auth API application (meaning any client app that uses the named "Duo Auth API" application).
When Duo detects a high-risk authentication attempt from a user for an application with Risk-Based Factor Selection policy settings applied, Duo limits the available authentication methods to those that best protect against the risk. The user will only be allowed to authenticate by selecting from one of these secure methods to validate their authentication.
Authentication factors allowed in higher risk authentications:
Verified Duo Push - A more secure version of Duo Push that requires users to enter a numeric code from the authentication prompt on their mobile device. When enabling this option you may select a verification code length from three to six digits (default: 6). Verified Duo Push automatically adds a separate layer of security on top of push by asking the user to complete an action that requires them to interact with both the access and the authentication devices.
Roaming and platform authenticators - WebAuthn FIDO2 security keys with biometric or PIN verification, and authenticators or biometric sensors built into the device like Touch ID or Windows Hello.
Bypass codes - Bypass codes provided to users by a Duo administrator.
YubiKey passcodes - Passcodes generated by a YubiKey OTP token.
If Risk-based Factor Selection methods are enabled in a policy, ensure that you have added a secure factor that users can log into if these factors are limited. If you check the authentication log, and a warning appears indicating "No secure factors registered", this is because that user hasn't added one of the allowed methods above.
To apply a new Risk-based Factor Selection policy to an application:
Log into the Duo Admin Panel as an administrator with the Owner or Administrator admin role.
Navigate to the details page of the application to which you want to apply the Risk-based Factor Selection policy. This must be an application that uses the Universal Prompt or the named Auth API application.
Click Apply a policy to all users if you want every user accessing this application subject to Risk-based Factor Selection, or click Apply a policy to groups of users to assign the new Risk-based Factor Selection policy to a group of users.
Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.
The policy editor launches with an empty policy.
Enter a descriptive Policy Name at the top of the left column, and then click the Risk-based Factor Selection policy item on the left.
Select the checkbox next to Limit available authentication methods based on risk. You can click Show available authentication methods to view more details about which secure authentication methods will be allowed by Risk-Based Factor Selection.
Adjust the "Verified Duo Push Code Length" from 6 (default) to a lower number of digits if you wish.
Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Risk-based Factor Selection policy selected.
If you opted to apply Risk-based Factor Selection as a group policy, start typing in the target group's name in the Groups field and select it from the suggested names.
Click the Apply Policy button. The application page shows the new application or group Risk-based Factor Selection policy assignment.
You can also edit an existing custom policy or your Global Policy to add the Risk-Based Remembered Devices option if you prefer.
For more information about creating and applying custom policies, see the Policy documentation.
Duo Risk-Based Factor Selection can suppress Unrealistic Travel or Country Code Mismatch detections on authentications where its IP address is from a specified list of known low-risk IPs. To define your low-risk IP addresses, edit the policy where you enabled the Risk-based factor selection options and specify a list of IP addresses, IP ranges or CIDRs in Add Trusted Networks.
If a Risk-based Factor Selection policy applied to an application or user group and a user is not enrolled in a more-secure method or has no approved methods available:
If an approved method for Risk-Based Factor Selection is disabled via an authentication methods policy:
When a Risk-based Factor Selection policy is applied to an Auth API type application Duo responds to detected risk by limiting the factors available for the user.
Risk-based Factor Selection policy is effective only for the named "Duo Auth API" application. You can identify an Auth API application when you view it in the Duo Admin Panel by scrolling down to the "Settings" section of the application's details page and looking for a "Type" of "Auth API".
Application types other than "Auth API", even those built using Duo's Auth API methods, cannot apply effective Risk-based Factor Selection policies.
Risk-Based Factor Selection restriction has the following effects on the Auth API preauth response:
Duo Auth API v2 (Current): removes auto (automatic factor selection), push (Duo Push), and phone (phone callback) from the capabilities information for a phone device.
Duo Auth API v1 (Legacy): removes pushN (Duo Push) and phoneN (phone callback) from the factors information.
Unlike Universal Prompt applications, users may authenticate with a Duo Mobile passcode, a hardware token passcode, a passcode previously received via SMS, or a bypass code provided by your organization's Help Desk or Duo administrator. Verified Duo Push or roaming and platform authenticators can't be used with Auth API.
See the Auth API documentation for example API responses.
Duo Risk-Based Remembered Devices adds additional security to Duo's Remembered Devices feature by adapting the duration of remembered device sessions in response to risk. It looks for authentications from anomalous network locations, which may indicate theft of the remembered device token or access attempts from a lost or stolen device. When an anomalous authentication attempt is detected, the remembered device session terminates and users are required to reauthenticate.
In Duo’s traditional remembered devices policy, administrators set a fixed duration for how long a device is remembered. During login, the user opts into remembering the access device by checking the "Remember me..." option in the traditional Duo Prompt or choosing "Trust browser" in the Universal Prompt. When the remembered device session expires, the user is asked to reauthenticate.
With Risk-Based Remembered Devices, the remembered device session is established automatically, with no prompt to the user. The remembered device session may terminate after a new session if it observes a change from historical baselines. By targeting session termination to anomalous authentications, it enables administrators to set longer default remembered device session durations without sacrificing security.
Duo Risk-Based Remembered Devices evaluates each authentication based on its relation to the user's IP address history. Authentications from previously unseen network locations are identified as higher-risk and require reauthentication. 30 days of successful authentications in user activity are considered.
In addition to IP history, Duo also considers an optional Wi-Fi Fingerprint provided by Duo Desktop to ensure that IP address changes reflect actual changes in location and not normal usage scenarios like a user establishing an organizational VPN session.
Risk-Based Remembered Devices currently works for Duo’s browser-based integrations featuring either the Universal Prompt or the traditional Duo prompt. These browser-based Duo Prompt user experiences collect IP address information for access devices and makes it available in the authentication log.
In addition, Wi-Fi Fingerprint analysis requires installation of Duo Desktop on Windows and macOS access devices. Note that you do not need to configure Duo Desktop policies to make Wi-Fi Fingerprint information available to Risk-Based Remembered Device evaluation.
To apply a new Enable Risk-Based Remembered Devices policy to an application:
Log into the Duo Admin Panel as an administrator with the Owner or Administrator admin role.
Navigate to the details page of the application to which you want to apply the Risk-Based Remembered Devices policy. This must be an browser-application that uses the Universal Prompt or traditional Duo Prompt.
Click Apply a policy to all users if you want every user accessing this application subject to Risk-Based Remembered Devices, or click Apply a policy to groups of users to assign the new Risk-Based Remembered Devices policy to a group of users.
Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.
The policy editor launches with an empty policy.
Enter a descriptive Policy Name at the top of the left column, and then click the Remembered devices policy item on the left.
Select the checkbox next to Remember devices for browser-based applications and then select the Remember devices using risk-based authentication for up to nn days option. Enter the maximum number of days you want a remembered device session to last.
Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Risk-Based Remembered Devices policy selected.
If you opted to apply Risk-Based Remembered Devices as a group policy, start typing in the target group's name in the Groups field and select it from the suggested names.
Click the Apply Policy button. The application page shows the new application or group Risk-Based Remembered Devices policy assignment.
You can also edit an existing custom policy or your Global Policy to add the Risk-Based Remembered Devices option if you prefer.
For more information about creating and applying custom policies, see the Policy documentation.
Risk-Based Remembered Devices can suppress detections of a novel IP address or novel WiFi Fingerprint if the user is authenticating from a specified list of known low-risk IPs. To configure, navigate to the policy and specify a list of IP addresses, IP ranges or CIDRs in Add Trusted Networks.
All risk-based policies offer comprehensive logging and monitoring capabilities in the authentication logs. In addition, any authentications flagged by users are part of the existing fraud reports.
Navigate to Reports → Authentication Logs in the Duo Admin Panel. Applying risk-based policies introduces a new "Trust Assessment" column in the authentication logs. That information along with the additional context information in the "Result" and "Authentication Method" columns shows when and why a step-up decision occurred.
Hover your cursor over the "Trust Assessment" column information to see more information about the underlying reasons for that decision and the policy enforced for that authentication.
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.