Risk scoring

Risk scoring uses a data-driven risk engine to determine whether a sign-in event is likely to represent malicious activity. Okta assigns a risk level to each sign-in attempt by evaluating information such as the following:

  • The IP address used to make the sign-in request
  • Behavioral information about the user who made the sign-in request
  • Previous successful and failed sign-in attempts
  • Routing information associated with the request

Using this information, you can configure custom sign-on policies for different scenarios based on the risk level. If a sign-in attempt is identified as "high" risk, you can configure the sign-on policy to require extra authentication before granting access.

The risk engine automatically identifies all new user sign-on attempts as "high" risk events. With each subsequent successful sign-in attempt, the risk engine gathers more information about the user’s sign-in activity and patterns and evaluates subsequent sign-in attempts relative to this baseline.

For accurate risk evaluation and mitigation, trusted apps must send a valid deviceToken to Okta.

Risk scoring is designed to complement, not replace, existing security tools. Don't use it for the following activities:

  • Substitute bot management or automation detection
  • Replace web application firewalls
  • Assist with any type of security compliance

Risk-related information in System Log events

System Log events record information about how the risk level was determined for each authentication attempt. For example, the risk level for a sign-in event might be based on any combination of the following factors:

  • Anomalous location
  • Anomalous device
  • Suspected threat based on Okta ThreatInsight detection

To see details about the risk evaluation for an event, go to DebugContext and DebugData. For example:

Risk evaluation in the System Log under DebugData

In this example, the risk level for this sign-in attempt is MEDIUM because the user signed in using a new device, as indicated by reasons=Anomalous Device.

You might notice that the ThreatSuspected field is false even though the risk level is MEDIUM. If this sign-in attempt was from an IP address suspected of potentially malicious activity, the ThreatSuspected field would display true.

You can also query the System Log to view all events with a specific risk level. For example, to see a list of events identified as MEDIUM risk level, you can filter the System Log using the following query:

debugContext.debugData.risk eq "{level=MEDIUM}"

To see a list of events identified as HIGH risk level, you can filter the System Log using the following query:

debugContext.debugData.risk eq "{level=HIGH}"

To see a list of events identified as LOW risk level, you can filter the System Log using the following query:

debugContext.debugData.risk eq "{level=LOW}"

By default, Okta evaluates all sign-in requests for risk and changes in user behavior. If you don't configure rules that evaluate the risk level of sign-in requests, the results of the risk and behavior evaluation are added to the DebugContext section in the System Log in the LogOnlySecurityData field. See Risk and behavior evaluation

Configure risk scoring

You can add risk scoring as a condition for any application or Okta sign-on policy rule by setting the AND Risk is field for a rule to Low, Medium, or High.

Rules have the risk level set to Any by default.

To configure risk scoring:

  1. Create an Okta global session policy and configure the rule for it:
  2. Create an authentication policy and configure the rule for it:
  3. Select the AND Risk is condition, then select a risk level and save the rule.

Related topics

About Okta ThreatInsight

About Behavior Detection

Risk and behavior evaluation