About Security Behavior Detection

There are two components of security behavior detection that admins can configure:

  • Define the behavior to track.
  • Define an action to take if there is a change in trackable behavior for an end user.
Components Examples
trackable behaviors
  • Sign in from a new country, state, or city
  • Sign in from a new location more than a specified distance from previous successful sign ins
  • Sign in from a new device
  • Sign in from a new IP address
  • Sign in from a location deemed unfeasible for a user to travel to across two successive sign-in attempts
actions to take
  • Permit access
  • Require the end user to validate with an additional multifactor authentication factor
  • Set the session lifetime

Security Behavior Detection considerations

  • You cannot deny access if a behavior condition is selected in a sign-on policy rule.
  • You can reset the behavior profile for an end user. This reset clears all tracked behavior history for the end user, but continues tracking new behavior.
  • You must include the new behavior in a sign-on policy in order for behavior detection to take effect. Defining a behavior does not trigger any actions unless it is added to a policy.
  • Location policies are based on a third party geolocation database. Okta updates geolocation IP data once a week to minimize potential inaccuracies with location data. Occasionally, the geolocation data that Okta receives is either incorrect or unavailable.

Related topics