Skip navigation
Documentation

Duo Risk-Based Authentication

Last Updated: September 27th, 2022

Duo Risk-Based Authentication is in Public Preview. Related policy settings show an "Early Access" badge. Learn more about Duo's product release terms.

Overview

There are always new and emerging techniques that attackers exploit to compromise accounts and fraudulently authenticate. Duo’s Risk-Based Authentication automatically detects and mitigates commonly known attack patterns and high-risk anomalies to provide a higher level of security without compromising end-user experience.

Duo does this by detecting risk and automatically providing step-up authentication with two key capabilities: Risk-Based Factor Selection and Risk-Based Remembered Devices.

Duo Beyond and Duo Access customers can deploy Risk-Based Authentication by applying Duo policies to specific applications or groups of users to further enhance security and automatically detect and mitigate threats to access.

Risk-Based Factor Selection

Duo Risk-Based Factor Selection detects and analyzes authentication requests and adaptively enforces the most secure factors. It highlights risk and adapts its understanding of normal user behavior. It does this by looking for threat detectors or anomalies and then allowing only the more secure authentication methods to gain access.

When Duo detects one of the known attack patterns or anomalies the user must authenticate using only the most secure factors. If that authentication fails, or the user marks it as fraudulent in their mobile application, all transactions are recorded and available to administrators and security professionals in authentication logs.

For example, if Duo Push is enabled in the authentication methods policy for a web application, a step-up authentication will only permit access after completing a verified Duo Push in the Universal Prompt.

If the user completes one secure authentication — either via a more secure factor or with a bypass code received from a Duo administrator — they may resume authenticating using any of the factors generally available to them.

Known Attack Patterns and Anomalies

Duo Risk-Based Factor Selection considers the following attack patterns as high risk:

  • Request generation: A user has indicated they weren’t responsible for a login.
  • Anomalous and suspicious activity: There are unusual authentication attributes, such as the geolocation, or there exist patterns such as repeated failures that are indicative of attacks.
  • Push spray: authentications show characteristics of an adversary performing a non-targeted push attack across multiple users.
  • Push harassment: authentications show characteristics of an adversary performing a targeted push harassment attack.

Risk-Based Factor Selection Requirements

Duo Risk-Based Factor Selection works with existing authentication methods policy for web-based applications that show the Duo Universal Prompt and for the Duo Auth API application (meaning any client app that uses the named "Duo Auth API" application).

Risk-Based Factor Selection Methods

When Duo detects a high-risk authentication attempt from a user for an application with Risk-Based Authentication policy settings applied, Duo limits the available authentication methods to those that best protect against the risk. They will only be allowed to authenticate by selecting from one of these secure methods to validate their authentication.

Authentication factors allowed in higher risk authentications:

  • Passcodes and tokens - Passcodes from the Duo Mobile app, hardware tokens, received via SMS, or bypass codes provided to users by a Duo administrator. Auth API application authentications will be limited to this method only.

  • Roaming and platform authenticators - WebAuthn FIDO2 security keys with biometric or PIN verification, and authenticators or biometric sensors built into the device like Touch ID or Windows Hello.

  • Verified Duo Push - A more secure version of Duo Push that requires users to enter a code from the authentication prompt on their mobile device.

Note: Verified Duo Push automatically adds a separate layer of security on top of push by asking the user to complete an action that requires them to be present with both devices and is currently in early access.

Enable Risk-Based Authentication

To apply a new Risk-based Factor Selection policy to an application:

  1. Log into the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the application to which you want to apply the Risk-based Factor Selection policy. This must be an application that uses the Universal Prompt or the named Auth API application.

  3. Click Apply a policy to all users if you want every user accessing this application subject to Risk-based Factor Selection, or click Apply a policy to groups of users to assign the new Risk-based Factor Selection policy to a group of users.

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

  5. The policy editor launches with an empty policy.

  6. Enter a descriptive Policy Name at the top of the left column, and then click the Risk-based Factor Selection policy item on the left.

  7. Select the checkbox next to Limit available authentication methods based on risk. You can click Show available authentication methods to view more details about which secure authentication methods will be allowed by Risk-Based Factor Selection.

  8. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Risk-based Factor Selection policy selected.

  9. If you opted to apply Risk-based Factor Selection as a group policy, start typing in the target group's name in the Groups field and select it from the suggested names.

  10. Click the Apply Policy button. The application page shows the new application or group Risk-based Factor Selection policy assignment.

Duo Risk-based Factor Selection Policy Enabled

You can also edit an existing custom policy or your Global Policy to add the Risk-Based Remembered Devices option if you prefer.

For more information about creating and applying custom policies, see the Policy documentation.

Authentication Scenarios

If a Risk-based Factor Selection policy applied to an application or user group and a user is not enrolled in a more-secure method or has no approved methods available:

  • The user will be allowed to authenticate with a bypass code issued by a Duo administrator or your organization's Help Desk in order to enroll a more-secure method.

If an approved method for Risk-Based Factor Selection is disabled via an authentication methods policy:

  • That method will be disabled for Risk-Based Factor Selection. If Duo Push is disabled, verified Duo Push will not be available.

Risk-Based Factor Selection and the Auth API

When a Risk-based Factor Selection policy is applied to an Auth API type application Duo responds to detected risk by limiting the factors available for the user.

Risk-based Factor Selection policy is effective only for the named "Duo Auth API" application. You can identify an Auth API application when you view it in the Duo Admin Panel by scrolling down to the "Settings" section of the application's details page and looking for a "Type" of "Auth API".

Application types other than "Auth API", even those built using Duo's Auth API methods, cannot apply effective Risk-based Factor Selection policies.

Risk-Based Factor Selection restriction has the following effects on the Auth API preauth response:

  • Duo Auth API v2 (Current): removes auto (automatic factor selection), push (Duo Push), and phone (phone callback) from the capabilities information for a phone device.

  • Duo Auth API v1 (Legacy): removes pushN (Duo Push) and phoneN (phone callback) from the factors information.

Users may authenticate with a Duo Mobile passcode, a hardware token passcode, a passcode previously received via SMS, or a bypass code provided by your organization's Help Desk or Duo administrator.

See the Auth API documentation for example API responses.

Risk-Based Remembered Devices

Risk-Based Remembered Devices adds additional security to the existing Duo Remembered Devices functionality to ensure improved security of physical access endpoints against lost or stolen devices and enable longer remembered device sessions by looking for signs of token theft. It works similarly to Duo’s current remembered devices functionality by using a cryptographically signed token placed on the user’s device after a successful multi-factor authentication to proxy trust moving forward.

With Duo's traditional Remembered Devices policy, you set a static time for how long a device is remembered (example: 7 days). During login, the user opts into remembering the access device by checking the "Remember me..." option in the traditional Duo Prompt, or choosing "Trust browser" in the Universal Prompt. When the remembered device duration expires the user is asked to reauthenticate.

With Risk-Based Remembered Devices, establishing the remembered device session is automatic with no prompt to the user. Once the remembered device session is established, Duo looks for anomalous IP addresses or changes to a device throughout the lifetime of the remembered device session and requires a new session if it observes that change from historical baselines. It also incorporates a Wi-Fi Fingerprint provided by Duo Device Health to ensure that IP address changes reflect actual changes in location and not normal usage scenarios like a user establishing an organizational VPN session. Risk-Based Remembered Devices evaluates 30 days of IP history for each user.

Re-authentication is required before the token expiration if Duo detects changes in the IP address baseline or use of a new device is detected. Once the user re-authenticates, the device trust token will continue to function until they reach the end of the session, based on the duration defined in the Remembered devices policy, or attempt to authenticate from another new IP address.

How Risk is Defined for Risk-Based Remembered Devices

Duo evaluates each authentication based on its relation to the user's IP address history. Duo looks at the IP addresses from the past 30 days of successful authentications in user activity.

Risk-Based Remembered Device Requirements

Risk-Based Remembered Devices currently works for Duo’s browser-based integrations featuring either the Universal Prompt or the traditional Duo prompt. These browser-based Duo Prompt user experiences collect IP address information for access devices and makes it available in the authentication log.

In addition, Wi-Fi Fingerprint analysis requires installation of Duo Device Health app on Windows and macOS access devices. Note that you do not need to configure Device Health policies to make Wi-Fi Fingerprint information available to Risk-Based Remembered Device evaluation.

Enable Risk-Based Remembered Devices

To apply a new Enable Risk-Based Remembered Devices policy to an application:

  1. Log into the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the application to which you want to apply the Risk-Based Remembered Devices policy. This must be an browser-application that uses the Universal Prompt or traditional Duo Prompt.

  3. Click Apply a policy to all users if you want every user accessing this application subject to Risk-Based Remembered Devices, or click Apply a policy to groups of users to assign the new Risk-Based Remembered Devices policy to a group of users.

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

  5. The policy editor launches with an empty policy.

  6. Enter a descriptive Policy Name at the top of the left column, and then click the Remembered devices policy item on the left.

  7. Select the checkbox next to Remember devices for browser-based applications and then select the Remember devices using risk-based authentication for up to nn days option. Enter the maximum number of days you want a remembered device session to last.

  8. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Risk-Based Remembered Devices policy selected.

  9. If you opted to apply Risk-Based Remembered Devices as a group policy, start typing in the target group's name in the Groups field and select it from the suggested names.

  10. Click the Apply Policy button. The application page shows the new application or group Risk-Based Remembered Devices policy assignment.

Duo Risk-Based Remembered Devices Policy Enabled

You can also edit an existing custom policy or your Global Policy to add the Risk-Based Remembered Devices option if you prefer.

For more information about creating and applying custom policies, see the Policy documentation.

Monitoring and Triage

All risk-based policies offer comprehensive logging and monitoring capabilities in the authentication logs. In addition, any flagged authentications by users are part of the existing fraud reports.

Navigate to ReportsAuthentication Logs in the Duo Admin Panel. Applying risk-based policies introduces a new "Trust Assessment" column in the authentication logs. That information plus the additional context information in the "Result" and "Authentication Method" columns which shows when and why a step-up decision occurred.

Duo Risk-Based Authentication Logging

Hover your cursor over the "Trust Assessment" column information to see more information about the underlying reasons for that decision and the policy enforced for that authentication.

Duo Risk-Based Authentication Trust Assessment Details

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.