Skip navigation
Stylized image of a collage on graph paper, consisting of an astronaut, planet Earth, a pie chart, and a squiggly line
Product & Engineering

Easily Enable Conditional Access by Country with Duo

The conflict in Ukraine has shined a light on threats from bad actors operating from specific parts of the world. If you haven’t done so already, this is an opportune time to evaluate, and if necessary tighten, your organization’s security posture. Enabling conditional access policies that block access from specific countries would be an excellent way to do this.

Our latest Duo Trusted Access Report found that roughly 91% of organizations implementing location restrictions choose to restrict attacks from Russia or China (while 60% block both). Other countries topping the list include North Korea (41%), Iran (38%), Ukraine (28%), Afghanistan (27%), Iraq (21%), Belarus (20%), Nigeria (19%), and Syria (18%):

Graph showing percentage of organizations that block 10 countries. 82% of organizations block Russian authentications, 72.6% of organizations block Chinese authentications, 41.7% of organizations block North Korean organizations, 38.3% of organizations block Iranian organizations, 28.3% of organizations block Ukrainian authentications, 27.5% or organizations block Afghan authentications, 21.7% of organizations block Iraqi authentications, 20.4% of organizations block Belarusian authentications, 19% of authentications block Nigerian authentications, and 18.9% of organizations block Syrian authentications

How to block access by location with Duo

Duo Access and Duo Beyond customers can set a conditional access policy in only a few minutes that prevents unauthorized access from any location.

To change your user location policy, go into the Duo Admin panel navigate to Policies and click “Edit Global Policy.” Start typing the country name into the Duo Admin Panel to select it from the list. Change the drop-down to “Deny access,” then click “Save.” This prevents all authentication attempts from IP addresses that originate from the selected country.

This policy setting overrides other access policies, like Authentication Policy, Authorized Networks and Remembered Devices, when the setting applied here is more restrictive than the setting applied by those other policy options.

Learn more about enabling conditional access by country

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and create custom conditional access policies based on role, device, location, and many other contextual factors.