Duo Risk-Based Authentication

In our efforts to continuously enhance our security measures and stay up to date with the latest cybersecurity technology trends, we are introducing Duo Risk-Based Authentication (RBA). This new login security feature started August 15, 2024.

Duo RBA will help improve cybersecurity across all Tufts’ campuses by assessing the risk of each login attempt to university systems beyond just passwords, considering factors like location, device, and login history.

How does Duo RBA work?

You will continue logging in to university systems as you do today, using Duo multi-factor authentication (MFA). If Duo determines an authentication attempt is unusual or poses higher risk through a combination of factors, listed below*, it escalates the security measures by requiring a verified push. This typically involves a process where you will be prompted to enter a 4-digit code, displayed on the webpage, into your Duo mobile app.

Important Note: If you do not have the DUO app on your configured on your phone, please contact the IT Service Desk at it@tufts.edu or 617-627-3376 for alternative solutions.

*High-Risk Factors

• Login Location and Impossible Travel: Detecting logins from geographically distant locations within a timeframe that's physically impossible, such as logging in from Miami and then Spain within the same hour.
• Suspicious User Behavior: A user denying authentication or reporting fraud.
• Device Difference: Attempts made from a new, previously unremembered device, especially when combined with other suspicious factors.
• Multiple Account Access: Logging into multiple user accounts from the same device or browser session, indicating potential unauthorized access attempts.

What do I need to do?

Remain vigilant when prompted by DUO. If you were not trying to log in to a service, deny the DUO request. Contact the IT Service Desk at 617-627-3376 or it@tufts.edu if you get any Duo prompts that you did not initiate, as you may need to change your password.