Behavior Detection and Risk FAQs
Behavior Detection and Risk Frequently asked questions (FAQs) is a resource that provides administrators with useful information about providing a greater level of assurance and prevention from credential-based attacks.
Security Behavior Detection enables administrators to configure policies to track specific behavior and define an action to take if there is a change in the tracked behavior for an end user (for example, if a user is trying to authenticate from an IP, never used before by this specific user). This feature provides administrators with the flexibility to determine which behaviors they would like to add to a policy.
Risk-based authentication automatically evaluates risk using multiple features such as IP address, device and behaviors together for each user attempting to access the network. Risk and behavior can both be used on the same policy. Risk-based authentication allows admins to aggregate risk over several behaviors without the need for specific behavior configuration.
Okta ThreatInsight is a tool used for large scale attack mitigation. It is designed to reduce automated account takeover attempts such as brute force and password spray attacks.
Risk-based authentication is designed to reduce authentication friction and targeted attacks. When a username and password is used in an anomalous way (such as unexpected IP and device), the system can assign a high risk to the login attempt.
Risk Engine is the component that enables Risk-based authentication. For each user, Risk Engine builds a behavior profile based on past information such as IPs and devices that are used to successfully authenticate. This user behavior profile drives the risk level for a specific authentication.
Okta ThreatInsight, Risk-based authentication and behavior provide a tiered system of protection. Okta ThreatInsight detects and blocks threats and acts as a first line of defense by mitigating large scale attacks. Risk-based authentication and behavior provide additional protection. The Risk Engine detects anomalous user behavior that might indicate targeted attacks on this user.