I have a few questions about how to maximize the chances an anomalous login will be challenged.
- How is the policy evaluated if multiple behaviors are assigned to a single rule? Is the rule matched if any behavior is matched? Or does it require all behaviors to be matched?
- How does the risk level setting interact with the Risk level, precisely?
2.a. If Okta assigns a Risk level of “Medium” to a sign-on request, does that match a rule with “AND Risk is High"?
2.b Vice-versa, if Okta assigns a Risk level of “Medium” to a sign-on request, does that match a rule with “AND Risk is Medium"?
- What is the best way to blend geo-location heuristics and risk-based heuristics for maximum protection?
3.a. If we set a rule with a behavior detection (e.g. Velocity detection) and risk score “AND Risk is High", what happens if an incoming request exceeds the configured velocity but Okta scores it “Medium” risk?
My reading of the docs, this login would not be challenged by this rule, is that accurate?
3.b. Would separate rules for each desired behavior with “AND Risk is Any”, followed by a fall-through rule with no configured behavior but “Risk is High” match more incoming requests than setting the “Risk is High” on each rule?