Identity Threat Protection with Okta AI

Early Access release

Identity-based attacks are a growing threat to organizations and their users. These attacks use techniques like phishing, session hijacking, and credential stuffing to compromise sensitive information about the people in your org. Protecting against these attacks requires a comprehensive security strategy.

Identity Threat Protection with Okta AI is a continuous identity threat solution that responds to threats as they happen. It combines your current identity security solutions (like ThreatInsight, Behavior Detection, risk-based authentication) to provide complete identity protection to your org.

Identity Threat Protection continuously evaluates users and their sessions, receiving risk signals through the Okta risk engine and through third-party security providers. When Identity Threat Protection identifies changes in a user's risk, Network Zone, device, or behavior, it launches automated mitigation and remediation actions that you can configure according to your org's security requirements.

This constant and real-time risk assessment provides a Zero Trust approach to identity management security.

How it works

Without Identity Threat Protection, your configured global session and authentication policy conditions are only evaluated for identity threats when a user signs in to an org. For all subsequent web requests, your authentication policy is evaluated against the app from which the request is received.

With Identity Threat Protection, these policies, and your Network zones, Risk scoring, Behavior Detection and evaluation, Okta ThreatInsight, and Device assurance configurations, are continuously evaluated for identity threats throughout the user’s session.

Using the Shared Signals Framework (SSF), you can Configure a shared signal receiver integration with security events providers to inform your users’ entity risk Detections. This allows the security events provider to transmit risk signals to Okta. By receiving risk signals from security events providers, you can uncover more potential identity threats.

A security events provider is a third-party vendor that supports SSF and with whom Okta has partnered to exchange security-related events. You must be a customer of the security events provider to integrate them with Okta.

Identity Threat Protection provides an Entity risk policy that enables you to configure automatic actions in response to identified risks. You can customize this policy for different scenarios based on user group, risk level, and risk detections. If Identity Threat Protection uncovers a risk, your entity risk policy can run a delegated flow or terminate the user’s access to apps that are configured for Universal Logout.

There are several ways that you can monitor Identity Threat Protection while it identifies and responds to identity-based security threats:

  • The user risk profile displays a risk level of low, medium, or high based on the user’s login, session, and entity risk detections. It also displays the login, session, and entity risk detections for that user over the last seven days.
  • The Admin Dashboard has widgets for continuous access, entity risk detections, and at-risk users. These widgets that provide an overview of your org’s Identity Threat Protection events.
  • The System Log displays the details of all logged Identity Threat Protection events in your org.
  • Detailed reports provide comprehensive information about your org’s risk detections.

This diagram shows how Identity Threat Protection works with Okta ThreatInsight to continuously strengthen your org’s risk and security ecosystem.


Identity Threat Protection provides orgs with these important security features:

  • Continuous Access and risk evaluation: Identity Threat Protection continuously evaluates your global session, authentication, and entity risk policies to identify risks that occur during an active session, and not just when users sign in. The Shared Signals Framework (SSF) enables continuous access monitoring even when the user isn't interacting with Okta.
  • Diverse risk signals: Identity Threat Protection evaluates risk signals that Okta identifies and signals that your security providers identify. Orgs can analyze risk signals from multiple sources to increase their protection against identity threats. By using security providers, you can choose the best options for your unique security needs.
  • Automated threat remediation: Identity Threat Protection continuously assesses policy criteria to drive actions like terminating a session or prompting users for MFA. It can also initiate flexible Workflows to impose read-only access based on changes in identity, device context, or entity risk, or launch an incident management process to quarantine the user, device, or app.
  • Universal Logout: You can instantly terminate sessions across all supported apps and devices, ensuring comprehensive security during threats or employee lifecycle management.
  • User risk insights: Dashboard widgets, entity risk levels, and reports allow you to view your org’s overall security landscape at a glance.