xno3x (xno3x) asked a question.
Okta's Authentication Risk Engine Insight
I am looking for more insight as to how the Risk Engine formulates the Low/Medium/High values assigned during user login. I have reviewed information on what types of information the Risk Engine uses during the evaluation, but I have not seen anything on what determines a user as low vs. medium vs. high risk.
It would be helpful to know what internal thresholds are used and if it give any consideration to the admin configurable behavior settings. Does the Risk Engine use all historical context, or a certain amount? Also, when a user behavior context is reset, does this reset what the Risk Engine uses?
Thanks in advance for any thoughts and/or guidance regarding the Risk Engine inter-workings.
Hi Chris,
Thank you for posting this question to Okta's Community page.
We have a document that discusses the Behavior Analysis located here.
https://help.okta.com/en/prod/Content/Topics/Security/behavior-detection/about-behavior-detection.htm
It contains information on what events are analyzed, how the risk scoring is done, etc. I believe this should provide you with the insight needed regarding this question.
Jim Puder
Okta, Inc
Tier 2 Technical Support Engineer
USER 1
{reasons=Anomalous Device, level=MEDIUM}
{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=NEGATIVE, New City=NEGATIVE}
USER 2
{reasons=Anomalous Device, level=HIGH}
{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=NEGATIVE, New City=NEGATIVE}
It is easy to see the “New Device=POSITIVE” triggers the anomaly for both users, but what would cause the Risk Engine to assign different risk levels for the same anomaly?