Risk scoring

Risk scoring uses a data-driven risk engine to determine whether each sign-in event is likely to represent unusual activity. Okta assigns a risk level to each sign in attempt by evaluating information such as the following:

  • The IP address used to make the sign-in request.
  • Behavioral information about the user who made the sign-in request.
  • Previous successful and failed sign-in attempts
  • Routing information associated with the request

You can use this risk assessment information when you configure sign-on policy rules to take different actions based on the risk level of the sign-in event. For example, you can configure a sign-on policy to require multifactor authentication if the sign-in attempt is identified as high risk.

The risk engine automatically identifies all new user sign-on attempts as high risk. With each subsequent successful sign-on attempt, the risk engine gathers more information about the user’s sign-on activity and patterns and reduces the user's risk level.

Risk scoring is designed to complement, not replace existing security tools and should not be used to:

  • Substitute bot management or automation detection
  • Replace Web Application Firewalls (WAFs)
  • Assist with any type of security compliance

Consider using risk-based authentication with Factor Sequencing, to ensure stronger factor chains are used with higher risk sign-in activity.

You can also combine risk scoring with theOkta Verify push notification number challenge feature to add even more protection to sign-in activity. For example, if you configure Okta sign-on policies to evaluate risk conditions, Okta uses information--such as the device details and location--to determine the risk level of the sign-in attempt. You can configure the policy to then take different actions based on the risk leve assigned to the sign-in attempt. For more information about the Okta Verify push notification number challenge, see Configure Okta Verify options.

Risk-related information in System Log events

System logs record information about how the risk level was determined for each authentication attempt. For example, the risk level assigned to a sign-in event might be based on any combination of the following factors:

  • Anomalous location
  • Anomalous device
  • Suspected threat based on Okta ThreatInsight detection

Configure risk scoring

You can add risk scoring as a condition for any application or Okta sign-on policy rule. If you add risk scoring to a rule by selecting the AND Risk is condition, you can select a risk level of Low, Medium, or High.

Rules have the risk level set to Any by default.

To configure risk scoring:

  1. Create an Okta sign-on policy and configure the rule for it:
  2. Create an app sign-on policy and configure the rule for it:
  3. Select the AND Risk is condition, then select a risk level and save the rule.

Related topics

About Okta ThreatInsight

About behavior detection