Duo Risk-Based Authentication
In our effort to continuously enhance our security measures and stay up to date with the latest cybersecurity technology trends, we are introducing Duo Risk-Based Authentication (RBA). This new login security feature started in February 2024.
Duo RBA will help improve cybersecurity across all University of Miami campuses by assessing the risk of each login attempt to University of Miami systems beyond just passwords, considering factors like location, device, and login history.
How does Duo RBA work?
You will continue logging in to University of Miami systems as you do today, using Duo multi-factor authentication (MFA). If Duo determines an authentication attempt is unusual or poses higher risk through a combination of factors, listed below*, it escalates the security measures by requiring a more robust form of verification. This typically involves a secure pin—a process where you will be prompted to enter a 6-digit code, displayed on the webpage, into your Duo mobile app.
What do I need to do?
- Keep Your Contact Information Current: Always keep your contact information current in the Duo system to avoid disruptions during the authentication process. You can manage your information by accessing the device management portal.
- Follow On-screen Instructions: If prompted for additional verification when logging in to a system, follow the on-screen instructions carefully to complete the authentication.
- Understand First-time Computer Use: The first time you use a new computer to access the system, you will encounter Duo RBA for additional security.
- Recognize Receiving a Secure Pin Notice: If you receive a secure pin notice through the Duo mobile app, it indicates an authentication attempt is being made with your credentials. If you are not attempting to log in but you receive a Duo secure pin notification, you should immediately:
- 1) Click "I'm not logging in" within the Duo mobile app to deny the authentication attempt.
- 2) Promptly change your CaneID password by visiting caneid.miami.edu.
Limitations
Duo RBA only works when combined with the Duo mobile app. SMS authentication is unsupported with Duo RBA. If you encounter Duo RBA and you do not have the Duo mobile app configured, you will need to contact the IT Service Desk via phone to successfully authenticate. Contact information is provided below under Resources and Support.
If you use an incognito/private Internet browser window, Duo RBA will be automatically triggered as the initial option. You must select "Other Options" to elect another form of authentication.
Resources and Support
Visit the Duo MFA service page to learn more. If you have any questions or concerns, please contact the IT Service Desk – Coral Gables/Marine: 305-284-6565 or help@miami.edu; UHealth/MSOM: 305-243-5999 or help@med.miami.edu.
*High-Risk Factors
- Login Location and Impossible Travel: Detecting logins from geographically distant locations within a timeframe that's physically impossible, such as logging in from Miami and then Spain within the same hour.
- Suspicious User Behavior: A user has indicated they weren't responsible for a login by marking it as suspicious in the Duo mobile app.
- Device Difference: Attempts made from a new, previously unremembered device, especially when combined with other suspicious factors.
- Multiple Account Access: Logging into multiple user accounts from the same device or browser session, indicating potential unauthorized access attempts.
