After you enable Login Risk Score authentication in Workspace ONE Access, you must set up the access policy rules to use this authentication method.

This example shows an access policy that is configured with the following access flow.

  • Users with a low login risk score logging in with an iOS device can log in without entering additional credentials.
  • Users with a medium login risk score logging in with an iOS device must use a second authentication method to log in.
  • Users with a high login risk score logging in with an iOS device are denied access.

Login Risk Score authentication can be applied to any policy rule, but Login Risk Score cannot be the first authentication method listed in the policy rule.


For this example, the following authentication methods are enabled.
  • Mobile SSO ( for iOS)
  • Login Risk Score with the action type set up as follows.
    • Low set to Allow Access
    • Medium set to Step-up Authentication
    • High set to Deny Access


  1. In the Workspace ONE Access console Resources > Policies page, select. default access policy to edit.
  2. In the Configuration page, create the policy rule as follows.
    Option Description
    If a user's network range is ALL RANGES
    and user accessing content from iOS
    and user belongs to groups No group is selected. The access policy rule applies to all users.
    Then perform this action Authenticate using....
    then the user may authenticate using Mobile SSO (for iOS).

    Login Risk Score

    If the preceding methods fails or is not applicable, then Configured multi-factor authentication.

    Mobile SSO (for iOS)

    Authenticator App

    Note: You must add the same authentication methods in the fallback list as listed before Login Risk Score in the first authenticate using... configuration.
    Re-authenticate after 8 hours

What to do next

In the console, go to the Resources > Policies page. See Managing Access Policies in the Workspace ONE Access Service.