You can configure the Risk Score authentication method in Workspace ONE Access to allow or deny authentication based on the user's risk score. Every user is assigned a risk score of either high, medium, or low. When users attempt to log in, the risk score associated with the user determines what action is taken next.

Note: Risk Score based authentication is available only for cloud deployments.

Your Workspace ONE tenant must be registered with VMware Workspace ONE® Intelligence™ to enable and use the Risk Score authentication method.

The Workspace ONE Intelligence service is the source that calculates the user's risk score based on risk factors. See the VMware Workspace ONE Intelligence guide on the Workspace ONE documentation page. guide for more information about use risk scoring.

Workspace ONE Access receives a risk level calculation from the Workspace ONE Intelligence service for every user. The risk score is recalculated every 24 hours.

When you enable Risk Score authentication in the Workspace ONE Access console, you select the type of action that is applied for each score level. The three actions that can be triggered are to allow access, require step-up authentication, or to deny access. For example, you can configure that when the risk score is High, users are denied access; Medium, users must enter a second form of authentication to log in, and Low, users can log in as normal.

You must configure an Access Policy to use Risk Score authentication. When a rule requires Risk Score authentication, when users attempt to log in, the risk score authentication action that you configured is applied. Risk score authentication can be configured for mobile single sign-on to iOS and Android devices.

When a user is denied access because of their risk score, the options to login are limited.

  • Risk scores are updated every 24 hours. The user can wait until the Workspace ONE Intelligence service marks the user to a lower risk score.
  • If risk score authentication was applied to a particular device type in the access policy, such as iOS or Android, the user can log in from a web browser.