Risk Detection signals

Scope

This document describes the risk detection signals used to evaluate login attempts for Business Accounts.

Risk detection signals are used to determine whether a login attempt should:

• Be allowed normally

• Require step-up authentication

• Be blocked entirely

These signals operate as part of Enforced Security Policies.

I am new. Where should I start?

If you want to understand why a user is asked to perform additional authentication, start here.

Risk detection signals explain what the system looks at when deciding whether a login attempt is risky.

Purpose

Risk detection signals enable the system to:

• Detect suspicious or abnormal login behavior

• Reduce account takeover risk

• Apply stronger authentication only when necessary

• Balance security with user experience

Prerequisites

Before risk detection can be applied:

• The organization must have Enforced Security Policies enabled

• Users must sign in through the organization-managed identity provider

• Login context data (IP, device, location) must be available

I already understand. How do I proceed step by step?

1. Categories of Risk Detection Signals

Risk signals are grouped into the following categories:

Risk Detection Signals ├── IP-Based Signals ├── Location-Based Signals ├── Device-Based Signals ├── Behavior-Based Signals └── Policy Context Signals

2. IP-Based Signals

Description

Evaluate whether the source IP address is suspicious or unusual.

Examples

• New IP address not previously associated with the user

• IP outside of trusted IP ranges

• IP address on denylist or known malicious range

• Rapid IP changes during a single session

Risk Impact

• Medium to High risk

• May trigger MFA or access denial

3. Location-Based Signals

Description

Detect abnormal geographic login behavior.

Examples

• Login from a new country or region

• Impossible travel scenarios (rapid country changes)

• Location inconsistent with organization policies

Risk Impact

• Medium to High risk

• May trigger step-up authentication

4. Device-Based Signals

Description

Evaluate whether the login device is trusted or recognized.

Examples

• New or unrecognized device

• Device fingerprint mismatch

• Unsupported or restricted platform

• Browser or OS changes

Risk Impact

• Medium risk

• Often triggers MFA challenge

5. Behavior-Based Signals

Description

Analyze user login behavior patterns.

Examples

• Unusual login time

• Multiple failed login attempts

• Abnormal login frequency

• Automated or scripted behavior patterns

Risk Impact

• Medium to High risk

• May result in MFA enforcement or temporary blocking

6. Policy Context Signals

Description

Apply organizational context and policy configuration.

Examples

• User role requires stronger authentication

• Workspace-specific security rules

• Elevated access or sensitive resource access

• Compliance-driven enforcement

Risk Impact

• Medium to High risk

• May enforce stronger MFA methods

7. Risk Evaluation Outcome

Each login attempt is evaluated in real time.

Risk thresholds are configurable at the organization level.

8. User Transparency and Experience

• Users are guided clearly when additional verification is required

• Risk-based challenges are contextual and non-intrusive

• Legitimate users can proceed after successful verification