Risk Scoring

Risk Scoring uses a risk engine that determines the likelihood of an anomalous sign-in event.

About risk based authentication

Okta assigns a risk level to each Okta sign in using models that use contextual information about the sign-in as well as historical information about the user. Admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in. For example prompt for MFA if the login is high risk.

Admins can create a sign-on policy rule, set a risk level, and assign a corresponding action based on the specified risk level. A high risk is assigned to new users initially — over time the risk level is reduced as more information is gathered about the user’s login pattern. Over time, the risk associated with normal sign-ins for the user will decrease.

Risk Scoring is designed to complement, not replace existing security tools and should not be used to:

  • Substitute bot management or automation detection
  • Replace Web Application Firewalls (WAFs)
  • Assist with any type of security compliance

Consider using risk-based authentication with Factor Sequencing, to ensure stronger factor chains are used with higher risk sign-in activity.

System Log events

System logs contain risk information associated with authentication. The System log provides insights into how the risk was determined including any combination of the following reasons:

  • Anomalous Location
  • Anomalous Device
  • Suspected Threat (based on Okta ThreatInsight detection)

Configure Risk Scoring

Configure Risk Scoring by adding a rule and configure the risk level for the rule.

Before You Begin

Verify that configured sign-in policies are created.

To configure Risk Scoring:

  1. In the Admin Console, navigate to Security > Authentication.
  2. Click Sign On
  3. Under your existing sign on policy, click Add Rule.
  4. You can also edit an existing rule.

  5. Under the condition name And Risk is, select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. The risk level Any is selected by default.