New IP Behavior Detection

I am testing the ability to trigger MFA when authenticating from a new IP address and cannot seem to trigger it with a new IP. Any help in directing me how to ensure this is triggered would be appreciated.


Setup a Behavior for New IP.

Setup a Sign On Policy with the following:

  1. IP is Anywhere
  2. Authenticates via Any
  3. Behavior is New IP
  4. Risk is Any
  5. Access is Allowed
    a. Prompt for Factor Enabled
    b. Per Device

Setup a network zone with my machine’s external IP as a Gateway IP within Security → Networks.

I’m using the Okta.Auth.Sdk client to call AuthenticateAsync with the following AuthenticateOptions:
Password = userPwd
Username = okta Profile Login
XForwardedFor = the IP of my personal PC
DeviceToken = a GUID

I am able to successfully authenticate with MFA the first time through. However, when I change the XForwardedFor to another IP with all other properties unchanged MFA is not triggered. My expectation is that it would be. What may I be missing?

Can you open a Support case for further assistance? You can either create one in the Help Center or email