Authentication alone doesn't tell you whether a login is legitimate. A valid password can come from a compromised device, an anonymized network, or a location that contradicts the user's recent activity. Without real-time risk awareness, identity flows treat every authentication attempt equally — leaving gaps that attackers exploit through credential stuffing, brute force attacks, and other techniques that lead to account takeover.
Mosaic's Identity Threat Protection brings real-time risk awareness directly into identity flows.
Identity Threat Protection is a set of journey-native risk detection capabilities that identify common identity-driven threats and anomalous access patterns during user interactions.
It collects and correlates 25+ risk factors from device, network, location, and behavioral signals, and exposes them to journeys so you can make informed decisions on how to proceed with sensitive actions like logins and registrations.
Identity Threat Protection is intentionally scoped for identity use cases. It does not require model tuning, investigator workflows, or post-event analysis — making it a good fit for organizations that want to adapt identity flows based on risk without deploying a standalone fraud platform or operating a dedicated fraud team.
If you need ML-driven recommendations, behavioral biometrics, risk scoring, or full analytics, see Fraud Prevention.
Identity Threat Protection supports the following capabilities:
- Brute force mitigation
- Credential stuffing prevention
- Account takeover protection
- Login velocity / frequency anomaly detection
- Device consistency evaluation
- New device detection
- IP reputation / proxy / TOR detection
- Geo-velocity / impossible travel detection
- Location risk scoring
- Session anomaly detection
- Bot detection / bot prevention
- High-risk registration pattern mitigation
- Shared device / IP across accounts detection
The engine enhances Mosaic's existing data collection by incorporating additional contextual signals:
- Device data (crypto keys, characteristics)
- Browser data (user agent, configuration, anomalies)
- IP and network data (reputation, geolocation, ASN, proxy indicators)
It also utilizes data already collected throughout standard journey flows:
- User profile attributes
- Authentication context
- Event and behavioral signals
This unified data model ensures that risk evaluation is both comprehensive and consistent with existing Mosaic capabilities.
You can define explicit allow and deny rules under Journey Tools to control how specific entities are handled during journey execution:
- Allow rules: define trusted entities (e.g., IP ranges, devices) that bypass risk-based restrictions
- Deny rules: restrict or block access from specific origins or attributes
These rules operate alongside the Identity Threat Protection engine and let you refine or override risk-based outcomes. They can be incorporated into journey logic to immediately allow trusted users, block known malicious sources, or route users based on predefined policies.
Learn how to build a risk-based authentication flow using Identity Threat Protection and journeys.