Two types of risk score authentication can be configured in Workspace ONE Access. You can configure the User Risk Score authentication method to allow or deny authentication based on the user and device actions and behaviors. You can configure the Login Risk Score authentication method to allow or deny authentication based on risk level of login attempts based on the user's personal login history.

Note: Risk Score based authentication is available only for cloud deployments.

Your Workspace ONE tenant must be registered with VMware Workspace ONE® Intelligence™ to enable and use the risk score authentication methods. The Workspace ONE Intelligence service is the source that calculates the risk scores based on risk factors. See the VMware Workspace ONE Intelligence documentation for more information about use risk scoring.

VMware Workspace ONE® Intelligence™ risk scoring begins with a baseline or a "normal" level of risk. For risk score authentication, as a user or device behaves and deviates from normal, or the login attempts deviate from the personal login mode, the score identifies those deviations with High, Medium, and Low.

When you enable Risk Score authentication in the Workspace ONE Access console, you select the type of action that is applied for each score level. The three actions that can be triggered are to allow access, require step-up authentication, or to deny access. For example, you can configure that when the risk score is High, users are denied access; Medium, users must enter a second form of authentication to log in, and Low, users can log in as normal.

You configure an access policy to use risk score authentication. When a rule requires risk score authentication, the risk score authentication action that you configured is applied when users attempt to log in. Risk score authentication can be configured for mobile single sign-on to iOS and Android devices.

When a user is denied access because of their user risk score, the options to login are limited.

  • User Risk Scores are updated every 24 hours. The user can wait until the Workspace ONE Intelligence service marks the user to a lower risk score.
  • If risk score authentication was applied to a particular device type in the access policy, such as iOS or Android, the user can log in from a web browser.

Login Risk Score are generated dynamically for every login attempt.