About behavior detection

The behavior detection feature enables you to configure when users are required to provide a second form of authentication.

To use behavior detection, you specify the following information:

  • The type of behavior you want to track.
  • Details about the granularity, scope, or number of previous successful authentications to consider when evaluating the user behavior.

You don’t specify the action to take as part of defining the behavior conditions to track. You do that separately when you add behavior conditions to sign-on policies. You must add behavior conditions to a sign-on policy for behavior detection to take effect.

You can't deny access to users based on behavior conditions. This limitation helps to prevent legitimate users from being locked out of their accounts. They are only denied access if multifactor authentication fails.

Behavior types

You configure behavior detection by first selecting the types of behavior you want to track. You can then provide a name for the behavior condition and specify the details of the condition to be evaluated when users sign in.

The types of behavior types you can track fall into the following general categories:

  • Location
  • IP address
  • Device
  • Velocity

Behavior conditions

Each behavior type can have multiple named behavior conditions. For example, you can set up behavior detection to track the sign-in activity for the following conditions:

  • Sign in from a new country, state, or city
  • Sign in from a new location more than a specified distance from previous successful sign-in attempts
  • Sign in from a new device
  • Sign in from a new IP address
  • Sign in from a location deemed unfeasible for a user to travel to across two successive sign-in attempts

To take this example of multiple behavior conditions a bit further, assume you have two location behavior conditions:

  • Country-based tracks the country from which the sign-in attempt originates
  • City-based tracks the city from which the sign-in attempt originates

You can add both of these behaviors to a sign-on policy to require multifactor authentication the first time a change of country is detected, but permit access without a second factor challenge if a change of city is detected.

How behavior conditions are evaluated

The following table provides additional information about the types of behavior detection you can configure.

Behavior type

Condition type

Description

Default evaluation and customization

Location

 

 

 

New city

A city that hasn't been the source of a prior, successful sign-in attempt.

Checked against the last 20 successful sign-in attempts. You can change the number to check against.

New state A state or region that hasn't been the source of a prior, successful sign-in attempt. Checked against the last 15 successful sign-in attempts. You can change the number to check against.
New country A country that hasn't been the source of a prior, successful sign-in attempt. Checked against the last 10 successful sign-in attempts. You can change the number to check against.
New geo-location A location outside a specified radius that hasn't been the source of a prior, successful sign-in attempt. Checked against the last 20 successful sign-in attempts for locations that are outside a 20-kilometer radius of the locations of prior, successful sign-in attempts. You can change the number to check against, specify the radius size, and define the location by longitude and latitude.
Device New device

A device that hasn't been the source of a prior, successful sign-in attempt. A device is based on the client. Changing the browser is considered new device.

An improved new device detection feature provides a better mechanism for detecting new devices for browsers that store HTTP cookies. Device behavior detection is based on data passed from a web browser and a trusted application. For details about this features, see Improved new device behavior detection.

Checked against the last 20 successful sign-in attempts. You can change the number to check against.

IP

New IP address

An IP address that hasn't been the source of a prior, successful sign-in attempt.

Checked against the last 50 successful sign-in attempts. You can change the number to check against.

Velocity

Velocity

A measurement of velocity used to identify suspicious sign-in attempts.

Velocity is evaluated based on the distance and time elapsed between two subsequent user sign-in attempts.

Checked against the geographic distance and time elapsed between two successive sign-in attempts. Defaults to 805 km/h (500 mph).

Location data is provided by a third-party geolocation service. Okta updates the geolocation IP data on a weekly basis.

Related topics

Configure behavior detection

Configure an Okta sign-on policy

Behavior detection events

Reset the user behavior profile