Skip navigation
Duo blog header
Product & Engineering

Trying to Find a Balance: Introducing Risk-Based Authentication

As we move through life, we are constantly seeking balance.

As a father, I balance keeping my children safe, with helping them grow through challenging experiences. As an employee, I balance my responsibilities to my team with the demands of parenting and community engagement, all while saving some energy for mountain biking. As a human, I balance my goals with the constraints of finite resources and time. Looking at ecology, sociology or economics we see similar patterns of competing forces finding moments of equilibrium before facing disruption.

Cybersecurity is no exception. As a security professional, you work tirelessly to balance dozens of competing priorities in an organization. Employees want to get their jobs done without hassle. Executives need immediate access to important files from the other side of the world. Independent contractors won’t install your company software on their personal devices. All of these demands make your goals of implementing the most secure protocols, procedures and technology much more challenging. These challenges make it hard to follow the most secure practices: employing the most secure authentication methods, requiring constant re-authentication and only allowing access from corporate devices.

For brief moments you might strike the right balance, only to be disrupted by new and emerging threats, changing user behavior, and a complex IT environment.

To help you find that balance, we are excited to introduce Duo Risk-Based Authentication which automatically looks for known threats, anomalies or insecure behavior and mitigates risk at the point of authentication. Risk-Based Authentication, a cornerstone of Continuous Trusted Access, gives you the confidence to balance the needs of your workforce while ensuring better security at the point of authentication.

How does it work?

Risk-Based Authentication assesses user and device telemetry to identify known threat patterns and high-risk anomalies. Duo focuses specifically on account takeover, looking for:

  • Push harassment or fatigue

  • Location anomalies

  • Compromised passwords

  • Fraudulent device enrollment

When Duo detects something suspicious, the authentication automatically steps up to a Verified Duo Push or more secure factor to ensure the user is who they say they are. After the user re-establishes trust, they can return to their normal, lower-friction authentication method.

We enhanced Duo Remembered Devices as well to account for changes in risk: when we recognize the device a user is on, we use a securely generated device token to authenticate.

For example, imagine a corporate employee logs in to an application from the office. A Duo Remembered Devices policy would secure a remembered device token that allows them seamless access. Let’s say next when they decide to go work from a nearby coffee shop, Duo will automatically detect that something has changed and require the user to re-authenticate. If we see that this was an anomalous location, we would go further and require a Verified Duo Push. Once these challenges are successfully completed, we are able to baseline this behavior and ensure only high-risk authentications from this user are stepped up going forward.

In summary, these tools make every authentication more secure and give you the confidence to make access for your workforce more seamless.

Where do we go from here?

This is just the first step in our journey toward Continuous Trusted Access. As we move forward, we are committed to bringing our customers more tools to achieve balance, with:

  • Improved detection capabilities that respond to the latest threats around identity and account

  • Going beyond the point of login to ensure device and user trust throughout application sessions

  • Passwordless authentication to remove the weakest points in your authentication flow and ensure security using the most advanced security protocols