Behavior Detection and risk evaluation FAQ
Behavior Detection and risk evaluation help to prevent credential-based attacks. The frequently asked questions (FAQs) provide a quick reference to commonly asked questions about Behavior Detection and risk evaluation.
Behavior Detection enables administrators to configure policies to track specific behavior and define an action to take if there's a change in the tracked behavior for an end user (for example, if a user is trying to authenticate from an IP, never used before by this specific user). This feature provides administrators with the flexibility to determine which behaviors they would like to add to a policy.
Risk-based authentication automatically evaluates risk using multiple features such as IP address, device, and behaviors together for each user attempting to access the network. Risk and behavior can both be used on the same policy. Risk-based authentication allows admins to aggregate risk over several behaviors without the need for specific behavior configuration.
Okta ThreatInsight is a tool used for large-scale attack mitigation. It's designed to reduce automated account takeover attempts such as brute force and password spray attacks.
Risk-based authentication is designed to reduce authentication friction and targeted attacks. When a username and password is used in an anomalous way (such as unexpected IP and device), the system can assign a high risk to the login attempt.
Risk Engine is the component that enables risk-based authentication. For each user, Risk Engine builds a behavior profile based on past information such as IPs and devices that are used to successfully authenticate. This user behavior profile drives the risk level for a specific authentication.
Okta ThreatInsight, risk-based authentication, and Behavior Detection provide a tiered system of protection. Okta ThreatInsight detects and blocks threats and acts as a first line of defense by mitigating large-scale attacks. Risk-based authentication and behavior provide extra protection. The Risk Engine detects anomalous user behavior that might indicate targeted attacks on this user.