About Behavior Detection

Deciding when to require a second MFA factor is a common challenge for admins. With this feature, admins can configure the system so that individual end users are only prompted for an additional authenticator when there is a change in behavior that the admin defines.

There are two components of Behavior Detection that admins can configure:

  • Define the behavior to track.
  • Define an action to take if there is a change in trackable behavior for an end user.
Components Examples
Trackable Behaviors
  • Sign in from a new country, state, or city
  • Sign in from a new location more than a specified distance from previous successful sign ins
  • Sign in from a new device
  • Sign in from a new IP address
  • Sign in from a location deemed unfeasible for a user to travel to across two successive sign-in attempts

Behavior Detection considerations

  • You can't deny access if a behavior condition is selected in an Sign-on policies.
  • You can reset the behavior profile for an end user. This reset clears all tracked behavior history for the end user, but continues tracking new behavior.
  • You must include the new behavior in a sign-on policy in order for behavior detection to take effect. Defining a behavior does not trigger any actions unless it is added to a policy.
  • Location data is provided by a third party geolocation provider. To improve accuracy as much as possible, Okta also updates geolocation IP data on a weekly basis.

Related topics

About Behavior types

Behavior Detection events

Configure Behavior Detection

Sign-on policies