Skip navigation

Risk-Based Authentication

Duo’s Risk-Based Authentication evaluates potential threat signals at each login attempt and adjusts security requirements, in real time, to protect trusted users and frustrate attackers. This dynamic solution offers granular controls that provide customers with a more nuanced and effective approach toward secure access.

A data security pro uses their laptop in the office & on the go, with authentication requirements dependent on risk level.

What Is Risk-Based Authentication?

With the rise of hybrid work and the increase in cyber threats, attackers are increasingly targeting account takeovers to gain access to corporate resources. This means user authentication is more important than ever before, requiring more organizations to move toward a zero trust security strategy. The zero trust security model (“never trust and always verify”) can be difficult to achieve without adding frustration and friction for users who just want to get their job done. Risk-Based Authentication enables threat detection along with automated responses to block the attacker and secure trusted users.

How Does Risk-Based Authentication Work?

A stoplight representing signals.

Step 1: Evaluate Risk Signals 

At login, Duo examines signals such as user location, browser and network from web access requests, as well as device attributes and status from the Duo Mobile app and the Duo Device Health App. Duo’s patent-pending Wi-Fi Fingerprint technology can also evaluate change in location through anonymized network data.  

A flying helicopter representing responding to situations dynamically.

Step 2: Respond Dynamically 

Duo automatically responds to those threat signals at login to determine if the situation is high-trust or low-trust. This can involve identifying threats based on known attack pattern data (like a high volume of push requests in a row) or contextual risk signals (like an unknown Wi-Fi account).  

Three different-sized padlocks, representing an increase or decrease in requirements based on risk signals.

Step 3: Adjust Secure Access Requirements 

Based on the risk evaluation, the user will experience a corresponding amount of friction at login. If the situation is high-trust, the user can complete a Duo Mobile Push. If the evaluation indicates low-trust, the user will be asked to step up to a more secure authentication method, like Verified Duo Push or passwordless authentication

Why Secure Access Matters

Employee badge icon

Top Cause of Breaches 

82% of breaches involve a human element, which makes protecting secure access for users a top priority (Verizon Data Breach Report).  

Receipt icon.

Attacks Are Expensive 

The cost of a data breach continues to increase, reaching $4.35 million in 2022 (IBM Cost of a Data Breach Report).  

House icon.

Secure Hybrid Work 

Organizations need to protect workers across networks, devices and locations as 77% of employees expect a flexible work style (PDF: Dimensional Research). 

The Solution

An armadillo standing on its hind legs, representing the armor of privacy.

Improving Secure Access While Preserving Privacy

Duo’s Wi-Fi Fingerprint technology can use anonymized Wi-Fi network data to determine if a user’s location has changed, enabling Duo to evaluate risk while protecting users’ privacy. 

Related Duo Features:

  • Duo Device Health Application: Monitor laptop and desktop devices to ensure they have the right security protocols in place. 
  • Duo Mobile on iOS and Android: Duo Mobile can evaluate potential risk signals including device attributes, security settings and management status. 

Bees flying away from a hive, representing rapid response to data security issues.

Transparent & Automatic Secure Response 

Each authentication attempt can be reviewed in Duo’s Authentication Log. Duo administrators can easily identify whether a login attempt was considered high- or low-trust and why. 

Related Duo Features:

A penguin sliding on its belly, representing a lack of friction when it's not needed.

Adjust User Outcomes Without Unnecessary Friction 

The Risk-Based Authentication solution only steps up security requirements if there are potential threats. Once trust is re-established, users can follow their normal authentication flow. 

Related Duo Features:

  • Duo Multi-Factor Authentication: Enforce secure identity verification methods, like Duo Push and password-free open standards such as WebAuthn
  • Duo Single Sign-On: Let users access any application with a single login experience, protected by Duo’s strong authentication and granular access policies. 

A person doing yoga, representing an improved posture — security or otherwise.

Improve Security Posture 

Our dynamic solution responds in real time, at login, to ensure that only trusted users gain access to privileged data. 

Related Duo Features:

  • Duo Device Visibility: See every endpoint that’s logging in to your apps, so that you can spot risky devices before they compromise your resources. 
  • Duo Trusted Endpoints: Identify corporate-owned vs. personal laptops, desktops and mobile devices, to ensure only devices with the right permissions are accessing critical resources. 

Related Topics

Fingerprint icon

Passwordless Authentication 

Hackers can’t steal a password if there’s no password to steal. Passwordless authentication is becoming a viable and attractive way to reduce credential theft. 

Learn More about Passwordless Authentication  

Checkmark on device screen icon

Multi-Factor Authentication 

User trust is the foundation upon which a zero trust strategy is built — and strong multi-factor authentication is a tested and proven way to establish that trust. 

Explore Duo’s Multi-Factor Authentication  

User profile icon

Adaptive Access Policies 

Assigning access permissions by application ensures that your most critical resources are also your most protected. 

Discover Duo’s Adaptive Access Policies