About Behavior Detection

Deciding when to require a second MFA factor is a common challenge for admins. With this feature, admins can configure the system so that individual end users are only prompted for an additional authenticator when there is a change in behavior that the admin defines.

There are two components of Behavior Detection that admins can configure:

  • Define the behavior to track.
  • Define an action to take if there is a change in trackable behavior for an end user.
Components Examples
Trackable Behaviors
  • Sign in from a new country, state, or city
  • Sign in from a new location more than a specified distance from previous successful sign ins
  • Sign in from a new device
  • Sign in from a new IP address
  • Sign in from a location deemed unfeasible for a user to travel to across two successive sign-in attempts
Actions to take
  • Permit access
  • Require the end user to validate with an additional multifactor authentication factor
  • Set the session lifetime

Behavior Detection considerations

  • You can't deny access if a behavior condition is selected in an Sign-on policies.
  • You can reset the behavior profile for an end user. This reset clears all tracked behavior history for the end user, but continues tracking new behavior.
  • You must include the new behavior in a sign-on policy in order for behavior detection to take effect. Defining a behavior does not trigger any actions unless it is added to a policy.
  • Location policies are based on a third party geolocation database. Okta updates geolocation IP data once a week to minimize potential inaccuracies with location data. Occasionally, the geolocation data that Okta receives is either incorrect or unavailable.

Related topics

About Behavior types

Behavior Detection events

Configure Behavior Detection

Sign-on policies