About Security Behavior Detection

Deciding when to require a second MFA factor is a common challenge for admins. With this feature, admins can configure the system so that individual end users are only prompted for an additional MFA factor when there is a change in behavior that the admin defines.

There are two components of Security Behavior Detection that admins can configure:

  • Define the behavior to track
  • Define an action to take if there is a change in trackable behavior for an end user
Components Examples
Trackable Behaviors
  • Sign in from a new country, state, or city
  • Sign in from a new location more than a specified distance from previous successful sign ins
  • Sign in from a new device
  • Sign in from a new IP address
  • Sign in from a location deemed unfeasible for a user to travel to across two successive sign-in attempts
Actions to take
  • Permit access
  • Require the end user to validate with an additional multifactor authentication factor
  • Set the session lifetime

Security Behavior Detection considerations

  • You can't deny access if a behavior condition is selected in a sign-on policy rule.
  • You can reset the behavior profile for an end user. This reset clears all tracked behavior history for the end user, but continues tracking new behavior.
  • You must include the new behavior in a sign-on policy in order for behavior detection to take effect. Defining a behavior does not trigger any actions unless it is added to a policy.
  • Location policies are based on a third party geolocation database. Okta updates geolocation IP data once a week to minimize potential inaccuracies with location data. Occasionally, the geolocation data that Okta receives is either incorrect or unavailable.

Related topics

Security Behavior Detection types

Security Behavior Detection System Log events

Security Behavior Detection configuration

Security Policies