About behavior types

Behavior types are based on changes in the location, device, IP address, or velocity with which the user accesses Okta. You can create multiple named behaviors for each behavior type.

Behavior type example

You can base one behavior on the country, and another on the city, from which the sign-in originates, and include one or both of them in your sign-on policies. In this example, you can prompt for a second MFA authenticator when there's a change of country, but allow access when there's a change of city.

Behavior Type

Name

Description

Defaults and Customization

Location New City A city that hasn't been the source of a successful sign-in before.
  • Checked against the last 20 successful sign-ins.

  • You can change the number to check against.

New State A state or region that hasn't been the source of a successful sign-in before.
  • Checked against the last 15 successful sign-ins.

  • You can change the number of successful sign-ins to check against.

New Country A country that hasn't been the source of a successful sign-in before.
  • Checked against the last 10 successful sign-ins.

  • You can change the number of successful sign-ins to check against.

New Geo-Location A location outside a specified radius that hasn't been the source of a successful sign-in before.
  • Checked against the last 20 successful sign-ins for locations that are outside a 20-kilometer radius of the locations of prior, successful sign-ins.

  • You can change the number of successful sign-ins to check against, specify the radius size, and define the location by longitude and latitude.

Device New Device

A device that hasn't been the source of a successful sign-in before.

A device is defined at the client level. When you sign in using a browser that you haven't used before, Okta considers the new browser as a new device.

See Improved New Device Behavior Detection

  • Checked against the last 20 successful sign-ins.

  • You can change the number of successful sign-ins to check against.

IP New IP An IP address that hasn't been the source of a successful sign-in before.
  • Checked against the last 50 successful sign-ins.

  • You can change the number of successful sign-ins to check against.

Velocity Velocity

A measurement of velocity used to identify suspicious sign-ins. Velocity is evaluated based on the distance and time elapsed between two subsequent user sign-ins.

  • Checked against the geographic distance and time elapsed between two successive sign-ins.

  • The default is 805 km/h (500 mph).

Related topics

Configure Behavior Detection