The User Sign-In Policies screen allows you to enforce context-aware authentication rules using Timus ZTNA. These policies go far beyond simple password checks—leveraging device posture, sign-in origin, behavioral anomalies, and risk signals to determine whether access should be allowed, challenged with MFA, or blocked entirely.
📍 To access this screen, go to Zero Trust Security → User Sign-In Policies
The main table lists both default and custom sign-in policies:
| Column | Description |
|---|---|
| Name | Name of the policy (e.g., Deny New Country Sign-Ins) |
| Description | Summary of its purpose |
| Status | Current status of the policy |
Policies higher in the list are evaluated first. You can reorder them using drag & drop to change priority.
Create a New User Sign-In Policy
Click Create New to open the policy builder. You’ll configure the policy using four tabs:
Source
Specify the users or environments this rule applies to:
- Add a Name and Description (optional)
- Choose from Users, Teams, Tags, or Public IPs
- You can assign multiple sources
Condition
Specify how the system should respond if the policy conditions are met:
| Field | Description |
|---|---|
| Authentication Method | Choose from Any, Connect App, or User Portal |
| Risk Level | Any, Low, Medium, or High |
| Behavior Conditions | Select one or more behavior conditions (see supported types below) |
| Behavior Match Logic | All Selected Behaviors (AND) or Any Selected Behavior (OR) |
| Schedule | Limit policy to specific times/days if needed |
Supported Behavior Types
| Behavior Type | Purpose |
|---|---|
| New Device | Detects sign-ins from previously unseen devices |
| Out of Radius | Flags sign-ins from locations outside usual geographic range |
| New Country | Detects logins from new countries based on past activity |
| Impossible Travel | Detects geographically implausible login movement |
| Last Sign-In Date | Triggers if user hasn’t signed in recently |
| Untrusted IP | Flags risky IPs (proxy, botnet, TOR, abuse score, etc.) |
| Breached Email | Flags email addresses found in breach databases |
| Consecutive Failures at Same Account | Detects brute-force attempts on a single user |
| Consecutive Failures at Any Account | Detects credential stuffing attempts across users |
| Device Posture Check | Evaluates posture policy (e.g., antivirus disabled, no encryption) |
Action
Select how the system should respond:
| Option | Behavior |
|---|---|
| Allow | Permit access |
| Deny | Deny access |
| Ban | Deny access and lock account to prevent further attempts |
| MFA - Email | Require email-based OTP |
| MFA - Authenticator App | Require app-based TOTP |
| Deny and Block IP | Deny access and blacklist the IP address |
| Ban and Block IP | Lock account and blacklist the IP address |
You can configure multi-step MFA (e.g., Email + App fallback) to strengthen layered authentication.
Alerts & Notifications
Improve incident visibility and team coordination with real-time alerts:
- Alerts:
- Define Title, Severity, and Status
- Choose Trigger Results:
Success,Failure,Timeout
- Notifications:
- Define Title, Severity, and Status
- Choose Trigger Results:
Success,Failure,Timeout - Choose whether to notify matching users, specific administrators, or external recipients
✅ Why Use Behavior-Based Sign-In Policies?
Behavior-aware authentication lets you:
- Detect suspicious activity like sign-ins from new countries or untrusted IPs
- Apply MFA only when needed, reducing friction
- Block known high-risk sign-ins before damage occurs
- Customize policy logic per user, team, or environment
Updated
Comments
0 comments
Please sign in to leave a comment.