November 18, 2024: Duo Risk-Based Authentication will be available starting Wednesday, November 20, 2024 for students and staff only. 

In fall 2024, UC Davis will increase cybersecurity to better protect you and your university information from scammers, hackers, and other bad actors. Risk-Based Authentication will be added to Duo for UC Davis students and staff. Duo is the multi-factor authentication app at UC Davis that provides an additional layer of protection when Aggies access email, online storage, and other technology and university services.

How does risk-based authentication work? 

You will continue to access university services as you do today, using Duo multi-factor authentication (MFA). 

• Duo will assess the characteristics of each login attempt, considering factors such as location, device, and login history. 
• If a login attempt appears unusual or poses a higher risk through a combination of factors (e.g., two logins within the same hour from different parts of the world), Duo will require a more robust form of verification. This typically involves a secure code—a process where you may be prompted to enter a 6-digit code, displayed on the webpage, into the Duo mobile app. You will enter the 6-digit code instead of the Approve button. 
• You may be prompted to enter a 6-digit code into the Duo mobile app if you are traveling abroad or use a new device. Learn more about risk-based authentication. 

How is this different from the current Duo experience?

Currently, Duo presents users with the last used, or remembered authentication method, and allows them to choose another method available to them. 

Risk-based authentication:

• Must be triggered by potentially suspicious behavior (e.g. an unrealistic device location, a series of failed authentications, or user-marked fraud)
• Does not allow a user to choose methods Duo considers less secure.

Why is UC Davis enabling risk-based authentication? 

As hackers and phishing attempts get more advanced, the university must provide the greatest level of protection available. Aggies can also do their part by making sure to never validate an authentication request that they did not initiate or expect, even if it looks legitimate (any such unexpected requests should be reported to the appropriate support staff). If you do receive such a request, we strongly suggest changing your password.

Still have questions?   

Click here to contact IT Express

Read a Knowledge Base article about Duo's Risk-Based Authentication