Attackers continually exploit various techniques to compromise accounts and fraudulently authenticate. Duo’s Risk-Based Authentication automatically detects and mitigates commonly known attack patterns and high-risk anomalies.

Risk-based MFA methods at UMD

• Verified Duo Push is a more secure version of Duo Push that requires you to enter a numeric code from the authentication prompt on your mobile device. 
• Bypass codes generated by you or provided by a Duo administrator. 
• Yubico OTP/AES passcodes generated by a YubiKey token.
  
  Note: YubiKey 6 or 8-digit OATH-HOTP passcodes do not satisfy the secure method requirement.

What can trigger Risk-based MFA?

Multiple factors can trigger risk-based MFA. Here are some scenarios:

• User marked fraud: You have indicated you weren’t responsible for a login by marking it as suspicious in the Duo Mobile app.
• Push harassment: A pattern of failed authentications is consistent with an adversary performing a targeted push harassment attack against a single user.
• Travel: It is recommended to be ready to authenticate using the risk-based authentication methods while traveling.
• Unrealistic travel: Attempts to authenticate from a new location that would be impossible to reach based on the past authentication time and location.
• Device distance: The authentication device and access device are abnormally far apart.