Imprivata Documentation | Imprivata Vendor Privileged Access Management | Topic updated: March 17, 2026

Configure Risk-Based Authentication

When enabled, Risk-Based Authentication (RBA) requires additional multi-factor authentication (MFA) if Identity Threat Detection and Response (ITDR) evaluates a login attempt as high risk. VPAM sends login context information to ITDR, which evaluates the attempt using configured rule sets and returns an outcome that VPAM enforces.

Requirements

This feature requires the Identity Assurance and Threat Detection package. This package includes facial biometric authentication and Identity Threat Detection and Response (ITDR). Contact your Imprivata Support representative for more information: support@imprivata.com

Rule Sets

ITDR evaluates login activity using rule sets. Rule sets contain signals and evaluation logic that determine whether a login attempt is allowed, challenged with additional authentication, or denied.

IMPORTANT:

Administrators cannot select or change the rule set used by VPAM.

Changing the rule set used for risk evaluation requires assistance from Imprivata Support: support@imprivata.com.

Enable Risk-Based Authentication

To enable RBA in your server, follow these steps:

Navigate to VPAM, go to System Administrator > Authentication Settings > Authentication Requirements.
Select Enable in Risk-Based Authentication.
Enable your preferred challenge method under RBA settings:
- Mobile Authentication: Pushes a notification to your user’s authenticator application to validate their identity.
- Facial Authentication: Enforces the user to authenticate using the biometric feature.
NOTE:
All RBA challenge options are disabled by default. If no challenge method is enabled, the system automatically denies access when a risky login attempt is detected.
Click Save.

IMPORTANT:

When you enable an RBA challenge method, users who are not enrolled in that method are prompted to enroll at their next login.

For more information on how to enroll, see Authentication Methods.

How RBA Interacts with Authentication Requirements

RBA	Authentication Requirements
Applies only when ITDR evaluates a login attempt as high risk.	Applies based on configured MFA settings (for all logins, depending on policy).
Adds authentication only for high-risk login attempts.	Determines whether a second factor is required.
Does not change, override, or disable standard authentication requirements.	Defines the baseline authentication requirements for login.
If multiple RBA challenge methods are enabled (for example, Mobile Authentication and Face Authentication), VPAM may require the user to complete more than one method during a high-risk login attempt.	—

Login Evaluation Workflow

After RBA it's enable, users can expect the following login workflow:

Enter credentials and initiate login.
Send login context information from VPAM to ITDR.
Evaluate the login attempt in ITDR and return one of the following outcomes:
- Allow: Complete the login without additional authentication.
- Medium: Require the user to complete the configured RBA challenge method before granting access.
- Deny: Block the login attempt, display an access denied message, and record the event for auditing and reporting.

TIP:

For more information about reviewing evaluated login events, see Event Explorer.