Risk scoring uses a data-driven risk engine to determine whether each sign-in event is likely to represent unusual activity. Okta assigns a risk level to each sign in attempt by evaluating information such as the following:
- The IP address used to make the sign-in request.
- Behavioral information about the user who made the sign-in request.
- Previous successful and failed sign-in attempts
- Routing information associated with the request
You can use this risk assessment information when you configure sign-on policy rules to take different actions based on the risk level of the sign-in event. For example, you can configure a sign-on policy to require multifactor authentication if the sign-in attempt is identified as high risk.
The risk engine automatically identifies all new user sign-on attempts as high risk. With each subsequent successful sign-on attempt, the risk engine gathers more information about the user’s sign-on activity and patterns and reduces the user's risk level.
For accurate risk evaluation and mitigation, trusted apps need to send a valid deviceToken to Okta.
Risk scoring is designed to complement, not replace existing security tools and should not be used to:
- Substitute bot management or automation detection
- Replace Web Application Firewalls (WAFs)
- Assist with any type of security compliance
You can also combine risk scoring with theOkta Verify push notification number challenge feature to add even more protection to sign-in activity. For example, if you configure Okta sign-on policies to evaluate risk conditions, Okta uses information--such as the device details and location--to determine the risk level of the sign-in attempt. You can configure the policy to then take different actions based on the risk leve assigned to the sign-in attempt. For more information about the Okta Verify push notification number challenge, see Configure Okta Verify options.
System logs record information about how the risk level was determined for each authentication attempt. For example, the risk level assigned to a sign-in event might be based on any combination of the following factors:
- Anomalous location
- Anomalous device
- Suspected threat based on Okta ThreatInsight detection
You can add risk scoring as a condition for any application or Okta sign-on policy rule. If you add risk scoring to a rule by selecting the AND Risk is condition, you can select a risk level of Low, Medium, or High.
Rules have the risk level set to Any by default.
To configure risk scoring:
- Create an Okta sign-on policy and configure the rule for it: