Push notification Number Challenge verifies that a sign-in attempt to an application protected by Okta came from the intended user and not from an unauthorized person. When Number Challenge is triggered, a number in the Sign-In Widget is presented, and a notification is pushed to Okta Verify on the user's mobile device. The user selects the number that matches what they see in the Sign-In Widget. If the selection is correct, the user can access the protected app. The number challenge helps prevent phishing by ensuring the user possesses Okta Verify and the device initiating the sign-in attempt.

There are three settings for when Number Challenge is used:

• Never: Users do not receive a number challenge regardless of the risk level of the authentication attempt.
  • The only exception is the Self-Service Password Recovery flow, where a Number Challenge is required for security reasons.
• Only for high-risk sign-in attempts: Users receive a number challenge only if the sign-in attempt is assessed to be a risk. Admins must configure sign-on policy rules.
• All push challenges: Users receive a number challenge with all Okta Verify push notifications regardless of the risk level.

• Okta Verify
• Risk Scoring
• Behavior Detection

Number Challenges will trigger based on Okta's Risk Scoring. Risk Scoring uses a data-driven risk engine to determine whether a sign-in event will likely represent malicious activity. Okta assigns a risk level to each sign-in attempt by evaluating information such as:

• The IP address used to make the sign-in request.
• Behavioral information about the user who made the sign-in request.
• Previous successful and failed sign-in attempts.
• Routing information associated with the request.

NOTE: The score calculation that occurs in Risk Scoring is proprietary functionality, which is intentionally omitted from public documentation.

Behavior Information refers to Behavior Detection, which analyzes user behavior patterns and creates profiles of typical patterns based on previous activity. This information enables administrators to configure sign-on policy rules that respond to changes in user behavior.

• Behavior Detection criteria:

  • Location behavior     
    • Location Behavior Detection tracks the end user's geographical location at sign-on time.
  • IP behavior
    • IP behavior tracks IP addresses used in previous login attempts.
  • Device behavior     
    • Device behavior tracks changes in the end user's device at login time.
  • Velocity behavior     
    • Velocity behavior defines the end user's geographical location using two subsequent login attempts.

What is the difference between behavior and risk-based authentication?

Risk-based authentication automatically evaluates risk using multiple features, such as IP address, device, and behaviors, for each user attempting to access the network. Risk and behavior can both be used on the same policy. Risk-based authentication allows admins to aggregate risk over several behaviors without needing specific behavior configuration.

Behavior Detection enables administrators to configure policies to track specific behaviors and define an action to take if an end user's tracked behavior changes. For example, if a user is trying to authenticate from an IP that has never been used by this specific user, this feature provides administrators with the flexibility to determine which behaviors they would like to add to a policy.

 

Related References

• Risk-Based Authentication: What You Need to Consider
• Security Features (Section "Context-based authentication")
• Behavior Detection and risk evaluation FAQ
• Behavior Detection
• Risk Scoring