Admins can create a sign-on policy rule, set a risk level, and assign a corresponding action based on the specified risk level. A high risk is assigned to new users initially — over time the risk level is reduced as more information is gathered. As a user continues to sign in to Okta with expected activity, the more likely they will be assigned a lower risk level.
Risk Scoring is designed to complement automation detection and does not account for the following scenarios:
- Substitute for bot management or automation detection
- Replacement for Web Application Firewalls (WAFs)
- Assistance with any type of security compliance
If you're using risk-based authentication, you may also consider Factor Sequencing, which allows you to enable a combination of various MFA factors for end-user authentication
To configure Risk Scoring:
- In the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
- Click Sign On.
- Under your existing sign on policy, click Add Rule.
Under the condition name And Risk is, select a risk level of Low, Medium, or High to change the level of risk that is evaluated when a user signs in. The risk level Any is selected by default.
System Log events
Risk Scoring can be assessed in the System Log based on any combination of the following three strings:
- Anomalous Location
- Anomalous Device
- Suspected Threat (based on ThreatInsight detection)