Security Behavior Detection types

Behavior types are based on changes in location, device, IP address or velocity from which Okta is accessed. Each behavior type can have multiple named behaviors.

Behavior type example

One location behavior can be based on the country from which the sign in originates, and another behavior can be based on the city from which the sign on originates. Either or both of these behaviors can be used in sign on policies; in this example, you can prompt for a second MFA factor when there is a change of country, but permit access when there is a change of city.

The following table defines these behaviors:

Behavior Type

Name

Description

Defaults and Customization

Location New City A city that has not been the source of a prior, successful sign in. Checked against the last 20 successful sign ins. You can change the number to check against.
New State A state or region that has not been the source of a prior, successful sign in. Checked against the last 15 successful sign ins. You can change the number of successful sign ins to check against.
New Country A country that has not been the source of a prior, successful sign in. Checked against the last 10 successful sign ins. You can change the number of successful sign ins to check against.
New Geo-Location A location outside a specified radius that has not been the source of a prior, successful sign in. Checked against the last 20 successful sign ins for locations that are outside a 20 kilometer radius of the locations of prior, successful sign ins. You can change the number of successful sign ins to check against, specify the radius size, and define the location by longitude and latitude.
Device New Device

A device that has not been the source of a prior, successful sign in. A device is based on the client. Changing the browser is considered new device.

See Improved New Device Behavior Detection

Checked against the last 20 successful sign ins. You can change the number of successful sign ins to check against.
IP New IP An IP address that has not been the source of a prior, successful sign in. Checked against the last 50 successful sign ins. You can change the number of successful sign ins to check against.
Velocity Velocity

A measurement of velocity used to identify suspicious sign-ins. Velocity is evaluated based on the distance and time elapsed between two subsequent user sign-ins.

Checked against the geographic distance and time elapsed between two successive sign-ins. Defaults to 805 km/h (500 mph).

Related topics

Security Behavior Detection configuration