Enable the Login Risk Score authentication method in the Workspace ONE Access console. You then select the type of authentication action to apply to user' login risk score based on high, medium, or low scores.

Note: Login Risk Score based authentication is available for cloud deployments only.

You can allow access, require step-up authentication, or deny access. The action associated to the login risk score determines the user experience.

  • Allow Access. The user can log in and access policy rules are followed.
  • Step-Up Authentication. The user cannot log in with only the credential that was entered. The next authentication method configured in the access policy is presented to the user.
  • Deny Access. User cannot log in and no other login option is presented to the user.


Your Workspace ONE Access tenant must be registered with Workspace ONE Intelligence.


  1. In the Workspace ONE Access console Integrations > Authentication Methods page, select Login Risk Score.
  2. Enable Login Risk Score and configure the authentication action required for low, medium, and high risk scores.
    The actions available to select are Allow Access, Step-Up Authentication, Deny Access.
  3. Click Save.


Workspace ONE Intelligence login risk scoring beings with a baseline "low" level of risk. Workspace ONE Intelligence initial learning period to learn new user login behavior is 30 days. After 30 days, a user login attempt that deviates from the baseline are scored with high, medium or low.

What to do next

In the console, go to the Resources > Policies page and edit the default access policy to add the Login Risk Score authentication method to the policy rules and create the policy rule for the step-up authentication flow if applied to a score. To see an example policy rule configuration with Login Risk Score, see Example Access Policy Using Login Risk Score Authentication in Workspace ONE Access (Cloud Only).