Behavior Detection and risk evaluation FAQ

Behavior Detection enables administrators to configure policies to track specific behavior and define an action to take if there's a change in the tracked behavior for an end user (for example, if a user is trying to authenticate from an IP, never used before by this specific user). This feature provides administrators with the flexibility to determine which behaviors they would like to add to a policy.

Risk-based authentication automatically evaluates risk using multiple features such as IP address, device, and behaviors together for each user attempting to access the network. Risk and behavior can both be used on the same policy. Risk-based authentication allows admins to aggregate risk over several behaviors without the need for specific behavior configuration.

Okta ThreatInsight is a tool used for large-scale attack mitigation. It's designed to reduce automated account takeover attempts such as brute force and password spray attacks.

Risk-based authentication is designed to reduce authentication friction and targeted attacks. When a username and password is used in an anomalous way (such as unexpected IP and device), the system can assign a high risk to the login attempt.

Okta ThreatInsight, risk-based authentication, and Behavior Detection provide a tiered system of protection. Okta ThreatInsight detects and blocks threats and acts as a first line of defense by mitigating large-scale attacks. Risk-based authentication and behavior provide extra protection. The Risk Engine detects anomalous user behavior that might indicate targeted attacks on this user.