Authentication Methods Security Guide
Last updated:
Overview
Duo offers a range of authentication methods with different security properties. Understanding those properties helps you choose the right configuration for your organization's needs and configure Duo's built-in security features to their full potential.
This guide covers:
- What security properties Duo Push provides, and how to strengthen it further
- Which methods meet the NIST standard for phishing-resistant authentication, the strongest protection available
- When to use one-time passcode (OTP) and telephony methods, and their limitations
- How to choose the right configuration for your security posture
Duo Push Security Properties and Limitations
Duo Push is Duo's most widely deployed authentication method. When a user logs in, Duo sends a real-time challenge to the Duo Mobile app on their enrolled device. The user must actively approve the request, and no one can replay the approval later.
Key security properties:
- Encrypted channel: The push request travels over a TLS-encrypted connection between Duo's service and the Duo Mobile app. Unlike OTP methods, there is no static secret for an attacker to intercept or replay.
- Real-time challenge: Each authentication generates a unique, time-bound request. Approving a push does not expose a reusable credential.
- Fraud reporting: Users who receive an unexpected push request can report it as fraud directly in Duo Mobile, immediately alerting administrators.
- Device binding: Duo Push requires Duo Mobile app activation on a specific enrolled device. An attacker cannot receive push requests without access to that device.
Standard Duo Push does not protect against phishing proxy attacks. See Phishing-Resistant Authentication for the strongest available protection. For many organizations, the controls described below bring Duo Push much closer to that standard while maintaining broad device compatibility.
Strengthen Duo Push Against Push Fatigue
Push fatigue (or MFA fatigue) attacks exploit the real-time approval model: an attacker who has obtained a user's password can spam push requests hoping the user approves one by mistake or out of frustration. Duo provides several enhancements to Duo Push authentication to address this.
Verified Duo Push
Verified Duo Push requires users to enter a numeric verification code shown in the login prompt before approving the push request in Duo Mobile. This ensures users must actively look at both the prompt and their phone. Users cannot approve a push request without engaging with the specific login attempt in progress.
To configure Verified Duo Push:
-
Log in to the Duo Admin Panel as an administrator with permission to edit policies.
-
Navigate to Policies → Policies and select an existing policy to edit, or click + Add Policy to create a new one.
-
Click the Authentication methods policy item on the left side of the policy editor.
-
Enable Duo Mobile Push in the "Second-factor authentication (2FA)" section.
-
Enable Require a Verified Duo Push with the Require users to enter a verification code option selected.
-
Select a Verification code length from 3 to 6 digits.
-
Save your changes or create the new policy.
-
If you created a new policy, apply it to the relevant application or groups.
Mobile inline authentication is the default user experience when a user logs in from a mobile device while the Verified Duo Push policy applies, to ensure a better experience without sacrificing security. Refer to What is Mobile Inline Authentication on Mobile Access? in the Duo Knowledge Base for details.
Verified Duo Push with Bluetooth Autofill
With Verified Duo Push with Bluetooth autofill, Duo Desktop transmits the encrypted verification code to Duo Mobile via Bluetooth Low Energy (BLE), confirming the user's phone is physically near the access device. This reduces friction while adding a proximity signal. The user can still manually enter the code when BLE is not available.
To configure Verified Duo Push with Bluetooth Autofill:
-
Log in to the Duo Admin Panel as an administrator with permission to edit policies.
-
Navigate to Policies → Policies and select an existing policy or click + Add Policy to create a new one.
-
Click the Duo Desktop & device health policy item on the left side of the policy editor.
-
In the "Duo Desktop" section, select Require Duo Desktop for Windows and macOS.
-
Click the Authentication methods policy item on the left.
-
Enable Duo Mobile Push in the "Second-factor authentication (2FA)" section.
-
Enable Require a Verified Duo Push with the Autofill the verification code with Bluetooth when possible option selected.
-
Choose the code length (configurable from 3 to 6 digits).
-
Save your changes or create the new policy.
-
If you created a new policy, apply it to the relevant application or groups.
Duo Mobile Proximity Verification
Duo Mobile proximity verification is the most stringent Duo Push option. It uses Bluetooth to confirm the user's phone is physically near their access device before the user can approve the push. This closes the push fatigue attack vector entirely. A bad actor cannot trick the user into approving a push if the access device with Duo Desktop is not in BLE range with the user's Duo Mobile. This does not require device pairing.
To configure Duo Mobile proximity verification:
-
Log in to the Duo Admin Panel as an administrator with permission to edit policies.
-
Navigate to Policies → Policies and select an existing policy or click + Add Policy to create a new one.
-
Click the Duo Desktop & device health policy item on the left side of the policy editor.
-
In the "Duo Desktop" section, select Require Duo Desktop for Windows and macOS.
-
Click the Authentication methods policy item on the left.
-
Enable Duo Mobile Push in the "Second-factor authentication (2FA)" section.
-
Enable Require a Verified Duo Push with the Require proximity verification with Bluetooth option selected.
-
Enable Duo Mobile Push in the "Passwordless authentication in SSO" section. This automatically enables Bluetooth proximity verification for passwordless logins.
-
Optionally disable Use browser cookies for verification when Duo Desktop is unavailable if you want strict trusted device assessment. Enable the Require devices to be registered using Duo Desktop option in your Duo Desktop & device health policy settings if you disable browser cookie verification.
-
Save your changes or create the new policy.
-
If you created a new policy, apply it to the relevant application or groups.
Proximity verification also qualifies as phishing-resistant authentication because it includes cryptographic origin binding through Duo Desktop. See Phishing-Resistant Authentication to learn more.
Risk-Based Authentication
Available in: Duo Advantage and Duo Premier
Rather than requiring all users to use a stronger factor at all times, Risk-Based Authentication monitors authentication patterns and automatically enforces step-up authentication when Duo detects anomalous activity, such as a login from an unusual location, device, or access pattern. When a step-up is triggered, Duo permits only verified push and other secure factors until the user completes a successful secure authentication.
This lets you maintain a low-friction experience for normal logins while ensuring that genuinely risky authentication attempts face a higher security bar, without requiring administrators to manually identify and respond to each threat.
Duo Desktop Authentication
Duo Desktop as an authentication method is inherently fatigue-resistant because authentication requests go only to the Duo Desktop application on the access device itself — eliminating a separate phone as an attack target. Duo Desktop also performs origin binding to ensure the authentication request comes from a legitimate domain. It serves as the foundation for proximity verification and Bluetooth autofill, the strongest Duo Push configurations described above.
To configure Duo Desktop authentication:
-
Log in to the Duo Admin Panel as an administrator with permission to edit policies.
-
Navigate to Policies → Policies and select an existing policy or click + Add Policy to create a new one.
-
Click the Duo Desktop & device health policy item on the left side of the policy editor.
-
In the "Duo Desktop" section, select Require Duo Desktop for Windows and macOS.
-
Click the Authentication methods policy item on the left.
-
Enable Duo Desktop authentication in the "Second-factor authentication (2FA)" section.
-
Save your changes or create the new policy.
-
If you created a new policy, apply it to the relevant application or groups.
Phishing-Resistant Authentication
Push fatigue attacks require a user with a compromised password to also approve a fraudulent push. Phishing attacks go further: an attacker can set up a proxy site that relays a user's credentials and authentication in real time, capturing the session. Standard Duo Push does not protect against this class of attack.
Phishing-resistant authentication, as defined by NIST SP 800-63B-4, requires cryptographic binding between the authentication and the specific site accessed by the user. The authenticator uses a cryptographic signature to prove the login is happening at the genuine site, so a proxy cannot forge this binding. If an attacker intercepts the session through a fake site, the authentication simply fails.
The following Duo authentication methods meet this standard:
Second-factor authentication (2FA) Methods
- Platform authenticator (Touch ID, Face ID, Windows Hello, Android biometric)
- Roaming authenticator (FIDO2 security key with PIN or biometric verification required)
- Duo Mobile Push with Bluetooth proximity verification
Passwordless Methods
- Platform authenticator (Touch ID, Face ID, Windows Hello, Android biometric)
- Roaming authenticator (FIDO2 security key with PIN or biometric)
- Duo Mobile Push with Bluetooth proximity verification
To enable phishing-resistant platform or roaming authentication methods:
-
Log in to the Duo Admin Panel as an administrator with permission to edit policies.
-
Navigate to Policies → Policies and select an existing policy or click + Add Policy to create a new one.
-
Click the Authentication methods policy item on the left side of the policy editor.
-
Enable Platform authenticator (passkey / WebAuthn) in the "Second-factor authentication (2FA)" section.
-
Enable Roaming authenticator (passkey / WebAuthn) and optionally enable Require user verification with a PIN or biometric if your users' security keys support it.
-
Enable Platform authenticator (passkey / WebAuthn) in the "Passwordless authentication in SSO" section.
-
Enable Roaming authenticator (passkey / WebAuthn). Your users' security keys must support PIN or biometric verification.
-
Save your changes or create the new policy.
-
If you created a new policy, apply it to the relevant application or groups.
Mobile inline authentication is the default user experience when a user logs in from a mobile device while MFA or passwordless proximity verification policy applies, to ensure a better experience without sacrificing security. Refer to What is Mobile Inline Authentication on Mobile Access? in the Duo Knowledge Base for details.
For organizations subject to federal compliance requirements, NIST guidance requires offering a phishing-resistant option and, for certain use cases, mandating it. See Duo's Federal Edition guide for FedRAMP-specific configuration.
OTP and Telephony Methods
SMS passcodes, phone callback, Duo Mobile passcodes, and hardware tokens are one-time passcode (OTP)-based or telephony methods that remain valid for many deployments. They are useful where push is not feasible: offline environments, users without smartphones, or systems that do not support the Universal Prompt.
Their key limitation compared to push methods is that they rely on shared secrets or telephony channels that Duo does not control:
- SMS passcodes travel over the public telephone network, which is vulnerable to SIM swapping, number porting, and SS7-based interception.
- Phone callback uses the same telephony infrastructure and carries the same risks. It requires only a key press to confirm. Without a code to enter, it is susceptible to MFA fatigue attacks.
- Duo Mobile and hardware token passcodes generate OTPs locally and do not have telephony vulnerabilities, but an attacker can phish the passcode itself: a user who enters their passcode on a fake site hands it to the attacker.
None of these methods protect against a real-time phishing proxy. Consider disallowing them in your authentication methods policies to strengthen your security posture.
Enrollment Policy
To require phishing-resistant methods at enrollment, use an enrollment policy to restrict which authenticators users can register.
-
Navigate to Policies → User Enrollment and Account Management in the Duo Admin Panel.
-
Edit an existing policy or click + Add Policy to create a new one.
-
Click Authenticators on the left and then make these selections:
- Select Passkey (biometric, security key), Duo Mobile, and Duo Desktop.
- Do not select Phone number.
-
Save your changes or create the new policy.
-
If you created a new enrollment policy, click Apply user group policy to assign it to selected groups.
Choose the Right Configuration
Use these recommendations to craft your strategy for Duo authentication method policies that offer enhanced security:
-
The strongest starting point is to enable phishing-resistant methods with passkeys (platform authenticators, roaming authenticators, or both), and Duo Mobile proximity verification for any users whose devices support them.
-
When phishing-resistant methods are not feasible, Verified Duo Push and Duo Desktop authentication both provide fatigue resistance.
-
Layer Risk-Based Authentication across all users to automatically enforce step-up authentication when Duo detects anomalous activity.
-
Reserve OTP and telephony methods as fallbacks for environments that cannot support push or passkey authentication, not as primary factors.