Skip to main content

Machine learning user risk score calculations


Advanced adaptive capability powered by machine learning provides a new method to prevent bad actors from impersonating authorized users to gain access to a protected site. Such attackers could have compromised credentials via social engineering or phishing tactics; obtained credentials beforehand from a source on the the dark web or by compromising another third party organization; or created new credentials within an organization they already breached.

The new Adaptive Authentication method, available in SecureAuth IdP version 9.3, requires SecureAuth's Prevent Threat Service package. Machine learning is used to track and analyze the login behavior patterns of authorized users for a period of time to identify their normal login patterns. Each user is assigned a risk score based on the current login behavior for that user in comparison to login behaviors of users with similar behavior patterns. A user's risk score may fluctuate based on login event factors.

When a login attempt is made, the login behavior pattern of the user attempting to authenticate is compared to the pattern of the authorized user that individual claims to be. A mismatch between patterns would now assign a higher risk score to that user and prompt a step-up in authentication requirements, or denial of access to the protected site.


By default, all new SecureAuth IdP version 9.3 appliances and appliances upgraded to this version have machine learning enabled. However, this feature is only activated in an environment with a licensed Prevent Threat Service package applied to the SecureAuth IdP.

Contact SecureAuth Support to:

  • Upgrade to the Prevent Threat Service package

  • Upgrade to SecureAuth IdP v9.3

Machine learning analysis and user risk score assignment

Machine learning analyzes information gathered from a user's login behavior pattern during a period of time and assigns a risk score to that user to dictate how to handle an authentication request. This risk score is based on whether the user is a low, medium, or high risk user, in comparison to other users with similar login behavior patterns. A user's risk score might fall within a range of 0 to 100 – with 100 indicating a high risk score – and can change, since a user could have a different login behavior pattern in the past compared to the present time.

For example, if during the past two months a user consistently logged in at about 9:00 a.m., and now the user is logging in at 2:00 a.m., the risk score increases and 2-Factor Authentication is required to identify the user.

Machine learning analyzes the following user data from logs:

  • Usual time of day the user logs in

  • Usual days of the week the user logs in

  • IP address used when logging in

  • Passed or failed authentication attempts

    • Tracking these login events can identify an unusually high number of successes or failures

NOTE: If using SailPoint IdentityIQ and / or Exabeam UEBA, risk scores from these third party platforms are calculated apart from SecureAuth's user risk score.


SecureAuth strongly recommends not blocking users based on their machine learning scores. At this time, there is no way to unlock an account of a user blocked as a result of their machine learning user risk score.

User risk score components

The user risk score calculation includes the following data for login events across a period of time:

  • User's current risk score

  • User ID

  • Time of day the user logged in

  • Day of the week the user logged in

  • IP address used when logging in, which identifies the user's location

  • Realm the user accessed

  • Login event status – passed, failed, or other transaction information unique to the login event

User risk score log

The user risk score log can be found at D:\SecureAuth\AnalyzeAPILogs

Sample log entry

2018/11/12 20:10:35.484|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-10","LastActivity":"1541304000","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Account Misuse","Alert":"It was very unusual that {{entity name=\"ruaqtok3lymy2tb/r9c7ta6dbzm=\" hash=\"bcf24f9dec573fe8\" type=\"user\"risk=45showRiskBall=false}} attempted to log in, having only had 1 day with login attempts.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":32,"Message":null}],"Status":"Success","Message":[]}|


The log includes this information:

Type of log component

Log component from sample log entry above

User's current risk score


Change from last risk score


Type of risk

"Potential Account Misuse"

Reason for change of score / analysis of risk

"Alert":"It was very unusual that {{entity name=\"ruaqtok3lymy2tb/r9c7ta6dbzm=\" hash=\"bcf24f9dec573fe8\" type=\"user\" risk=45 showRiskBall=false}} attempted to log in, having only had 1 day with login attempts."

Adaptive Authentication risk level (based on the configured threshold)