Improved new device behavior detection

The Improved New Device Behavior Detection feature supports browsers that store HTTP cookies. Device behavior detection is based on data passed from a web browser and a trusted application. See Behavior detection for more information about securing your org based on end-user activity and behavior.

When enabled, the Improved New Device Behavior Detection information is part of policy evaluation and can result in a user being prompted for MFA or allowed to sign-on.

Note

Note

Okta provides additional security to users for new device sign ons. The New sign-on notification email sends emails to users upon detecting a new device sign on. See General Security.

Known limitations

  • If Improved New Device Behavior Detection is enabled for your org, sign-in activity from a device using a browser without an HTTP cookie is treated as a new device with limited accuracy.
  • Currently, new sign-on notifications do not use the Improved New Device Behavior Detection feature when sending email notifications for new sign-ins. Changes to deviceToken or browser cookies may not trigger a new sign-on email notification.

Trusted applications

Trusted applications are responsible for identifying devices as part of new device detection.

  • If Improved New Device Behavior Detection is enabled for your org, you can send a unique identifier for each device using deviceToken in the context object. See Authentication context object.
    • Sign-in activity from a device is identified as a new device when the unique identifier is not sent by a trusted application.
  • If Improved New Device Behavior Detection is not enabled for your org, you can send a unique identifier for each device using the X-DEVICE-FINGERPRINT header. See Primary authentication with device fingerprinting.

To learn how to generate a unique identifier, see Device fingerprint best practices.

Note about device detection

In the past, Okta used JavaScript fingerprinting to identify new devices. As part of the Improved New Device Behavior Detection feature, any reliance on fingerprinting is now deprecated based on the following criteria:

  • Browser support for browser fingerprinting only provides best effort accuracy due to web browser vendors such as Apple and Mozilla reducing fingerprint accuracy in their browsers.
  • The browser fingerprint may change over time as the same browser fingerprint may be sent from multiple devices.

As a result, Okta recommends enabling Improved New Device Behavior Detection for more accurate detection.

Related topics

Behavior detection

About Network Zones

Okta ThreatInsight