Improved New Device Behavior Detection

The Improved New Device Behavior Detection feature is a mechanism for detecting that a user is signing in from a new device.

For example, when a user receives a new laptop from their organization and signs in to Okta from it, Okta recognizes that this device hasn't been used to sign in to Okta before, and registers this device as new.

This feature analyzes data from HTTP cookies from the browser through which the user signed in to Okta and trusted applications to provide data about the new device. Policies evaluate these data to determine whether the user must be prompted for multifactor authentication (MFA) or be allowed to sign in without MFA.

To enable this feature, contact your account representative.

See Behavior Detection and evaluation.

Known limitations

  • Sign-in activity from a device using a browser without an HTTP cookie is treated as a new device, but with limited accuracy.
  • Okta doesn't use data from the Improved New Device Behavior Detection feature to determine when to send an email notification for a new sign-in. In addition, changes to deviceToken or browser cookies may not trigger a new sign-on email notification. See New sign-on notification emails in General Security and Sign-on notifications for end users.

Trusted applications

Trusted applications are responsible for identifying devices as part of new device detection.

  • You can send a unique identifier for each device using deviceToken in the context object. See Authentication context object.
    • Sign-in activity is identified as coming from a new device when a trusted application doesn't send the unique identifier.
  • If Improved New Device Behavior Detection isn't enabled for your org, you can send a unique identifier for each device using the X-DEVICE-FINGERPRINT header. See Primary authentication with device fingerprinting.

To learn how to generate a unique identifier, see Device fingerprint best practices.

Note about device detection

In the past, Okta used JavaScript fingerprinting to identify new devices. The Improved New Device Behavior Detection feature no longer relies on browser fingerprinting (not the use of physical fingerprints in biometric authentication):

  • Browser support for browser fingerprinting only provides best-effort accuracy because some browser vendors may reduce fingerprinting accuracy.
  • The browser fingerprint may change over time as the same browser fingerprint may be sent from multiple devices.

As a result, Okta recommends enabling Improved New Device Behavior Detection for more accurate detection.

Related topics

Behavior Detection and evaluation

Network zones

Okta ThreatInsight