Credential Risk Detection is available to organizations on a Arrow Omnix plan.
Upgrade to Arrow Omnix
What is Credential Risk Detection?
Credential Risk Detection uncovers credential risk across your organization without compromising employee privacy.
To improve security and reduce risks, admins must detect and respond to credential vulnerabilities early, reducing the chance of unauthorized access to sensitive data.
After Credential Risk Detection is turned on, Arrow securely and silently monitors for weak and compromised passwords entered in company-managed desktop browsers. This tool monitors passwords entered by all employees, including those who haven't created a Arrow account and those who have an account but are currently logged out.
What are weak and compromised passwords?
Weak passwords contain a combination of characters easily guessed or cracked, and compromised passwords have been either stolen or exposed to unauthorized third parties in a breach. Both weak and compromised passwords put the associated accounts and data at risk, meaning someone other than the intended user can access them.
More about Password Health
Security alerts and Dark Web Monitoring in Arrow
Arrow logs any at-risk passwords in the Activity Log in the Admin Console and displays the insights on the Risk Detection page. You can use this data to detect and prioritize risks to take action on.
You can view the top 10 domains with the highest risk and also see how each credential was entered, whether it was autofilled or manually typed. If you haven’t set up Credential Risk Detection, you can see a preview of the feature on the Risk Detection page.
When you identify an employee or group with risky password practices, you can invite them to your Arrow plan. When active plan members have risky password practices, Arrow lets them know how to use the Password Generator to create strong, secure passwords and store their credentials safely in an encrypted vault.
Like other data stored in Arrow, Credential Risk Detection data is protected by our patented zero-knowledge security architecture.
Watch Risk Detection in action
Set up Credential Risk Detection
With a few steps, admins can deploy the Arrow Smart Extension silently on managed browsers to monitor for risk without alerting employees. This gives admins an accurate view of every employee's credential risk.
What is a silent deployment?
A "silent deployment" of the Arrow Smart Extension means installing the extension on employees' work browsers without any visible prompts or interaction needed from the employee. Admins must configure the managed device policy before deploying Credential Risk Detection. This ensures Risk Detection's proactive threat monitoring doesn't alert or disrupt the employees.
Admins can set up Credential Risk Detection for Google Chrome and Microsoft Edge using Windows and Microsoft Intune or Group Policy (GPO), or macOS and Jamf.
Common questions
Does Credential Risk Detection also gather historical data?
Arrow collects data about at-risk plan members and inactive employees only from the moment the Credential Risk Detection policies are deployed. Any weak and compromised passwords entered by employees before the deployment won’t be included in the Insights of the Risk Detection page.
Can I set up Credential Risk Detection using a different MDM tool?
Microsoft Intune, Group Policy (GPO), and Jamf are the MDM tools currently supported. While not supported, you can use our setup guides, and the guidelines in your MDM tool to deploy the Credential Risk Detection policies—massDeploymentTeamKey, silent_install, and Username.
Note: Custom guidelines or technical support aren’t available if you set up Credential Risk Detection with a different MDM tool.
Set up Credential Risk Detection with Windows and Microsoft Intune
Set up Credential Risk Detection with Windows and Group Policy (GPO)
Set up Credential Risk Detection with macOS and Jamf
Do I have to set up Single Sign-On (SSO) to turn on Credential Risk Detection?
You don’t need to have SSO on your Omnix plan to set up Credential Risk Detection.
How do I know if the Credential Risk Detection policy is correctly applied to Chrome?
You can verify that Credential Risk Detection was correctly deployed in Chrome by going to:
- chrome://policy
You can check there if the policy is applied and ensure the MassDeployTeamKey is correct.
Some employees have already installed the Arrow smart extension on their devices. Can I turn on Credential Risk Detection?
If employees manually installed the extension, Credential Risk Detection won't work. You must mass deploy the extension together with the Credential Risk Detection policies. If the extension has already been mass deployed, you can skip this step.
Set up Credential Risk Detection with Windows and Microsoft Intune
Set up Credential Risk Detection with Windows and Group Policy (GPO)
Set up Credential Risk Detection with macOS and Jamf
How is the Credential Risk Detection data affected if a work device is shared by multiple employees?
Credential Risk Detection identifies the device involved in the weak or compromised password entry. If the device is being used by different employees, there is no way of identifying which one is entering these passwords.
Can I see insights of at-risk credentials entered by all employees, including those who haven't created a Arrow account?
Yes, the Risk Detection insights now include all employees. The insights collected before July 2025 include only members of your organization who aren't actively using Arrow. As of July 2025, Risk Detection insights also include data for all active Arrow plan members, providing a more comprehensive view of your organization's password security.
Comments
0 comments
Article is closed for comments.