The paper proposes a model for authenticating mobile access subjects in a critical system. The incident detection mechanism is based on training and classification of the user activity audit log dataset embedded in the underlying configuration of the content management system. The proposed mechanisms can be implemented in systems whose subjects have some terrain movement patterns (within a city, district). The proposed model eliminates the disadvantages of existing traditional authentication methods based on the use of explicit verification methods. KNN methods, SVM and random forest algorithm are used for classification. These classification methods are formalized mathematically in the context of the set authentication problem, and to confirm the effectiveness of the algorithm, the robustness of the model by Euclidean metric and Chebyshev metric is evaluated, as well as the information content of the input features that affect the classification by each of the considered methods.