Risk-Based Authentication Coming to Duo

Duo Graphic with a red alert triangle

Risk-Based Authentication Coming to Duo

This fall, UC Davis will increase cybersecurity to better protect you and your university information from scammers, hackers, and other bad actors. Beginning this fall, Risk-Based Authentication will be added to Duo for UC Davis students and staff. Duo is the multi-factor authentication app at UC Davis that provides an additional layer of protection when Aggies access email, online storage, and other technology and university services.

How does risk-based authentication work? 

If Duo identifies suspicious login behavior, it will respond by enacting an escalated authentication step. This presents only the most secure validation methods available to that user. Once the user completes one of these enhanced authentications, they may resume validating by using any of the methods generally available to them. 

Risk-based authentication options may include: 

  • Verified Duo push 
  • Bypass code 
  • Roaming and platform authenticators 
  • YubiKey passcode 

On average, only about 2/1000 Duo transactions will result in a risk-based authentication.

How is this different from the current Duo experience?

Currently, Duo presents users with the last used, or remembered authentication method, and allows them to choose another method available to them. 

Risk-based authentication:

  • Must be triggered by potentially suspicious behavior (e.g. an unrealistic device location, a series of failed authentications, or user-marked fraud)
  • Does not allow a user to choose methods Duo considers less secure.
Why is UC Davis enabling risk-based authentication? 

As hackers and phishing attempts get more advanced, the university must provide the greatest level of protection available. Aggies can also do their part by making sure to never validate an authentication request that they did not initiate or expect, even if it looks legitimate (any such unexpected requests should be reported to the appropriate support staff). If you do receive such a request, we strongly suggest changing your password.

Still have questions?   

Click here to contact IT Express

Read a Knowledge Base article about Duo's Risk-Based Authentication