# Risk Detection signals

### Scope <a href="#scope" id="scope"></a>

This document describes the **risk detection signals** used to evaluate login attempts for **Business Accounts**.

Risk detection signals are used to determine whether a login attempt should:

* Be allowed normally
* Require step-up authentication
* Be blocked entirely

These signals operate as part of **Enforced Security Policies**.

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you want to understand *why* a user is asked to perform additional authentication, start here.

Risk detection signals explain **what the system looks at** when deciding whether a login attempt is risky.

***

### Purpose <a href="#purpose" id="purpose"></a>

Risk detection signals enable the system to:

* Detect suspicious or abnormal login behavior
* Reduce account takeover risk
* Apply stronger authentication only when necessary
* Balance security with user experience

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before risk detection can be applied:

* The organization must have **Enforced Security Policies** enabled
* Users must sign in through the organization-managed identity provider
* Login context data (IP, device, location) must be available

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

***

### 1. Categories of Risk Detection Signals <a href="#id-1.-categories-of-risk-detection-signals" id="id-1.-categories-of-risk-detection-signals"></a>

Risk signals are grouped into the following categories:

`Risk Detection Signals ├── IP-Based Signals ├── Location-Based Signals ├── Device-Based Signals ├── Behavior-Based Signals └── Policy Context Signals`

***

### 2. IP-Based Signals <a href="#id-2.-ip-based-signals" id="id-2.-ip-based-signals"></a>

#### Description <a href="#description" id="description"></a>

Evaluate whether the source IP address is suspicious or unusual.

#### Examples <a href="#examples" id="examples"></a>

* New IP address not previously associated with the user
* IP outside of trusted IP ranges
* IP address on denylist or known malicious range
* Rapid IP changes during a single session

#### Risk Impact <a href="#risk-impact" id="risk-impact"></a>

* Medium to High risk
* May trigger MFA or access denial

***

### 3. Location-Based Signals <a href="#id-3.-location-based-signals" id="id-3.-location-based-signals"></a>

#### Description <a href="#description.1" id="description.1"></a>

Detect abnormal geographic login behavior.

#### Examples <a href="#examples.1" id="examples.1"></a>

* Login from a new country or region
* Impossible travel scenarios (rapid country changes)
* Location inconsistent with organization policies

#### Risk Impact <a href="#risk-impact.1" id="risk-impact.1"></a>

* Medium to High risk
* May trigger step-up authentication

***

### 4. Device-Based Signals <a href="#id-4.-device-based-signals" id="id-4.-device-based-signals"></a>

#### Description <a href="#description.2" id="description.2"></a>

Evaluate whether the login device is trusted or recognized.

#### Examples <a href="#examples.2" id="examples.2"></a>

* New or unrecognized device
* Device fingerprint mismatch
* Unsupported or restricted platform
* Browser or OS changes

#### Risk Impact <a href="#risk-impact.2" id="risk-impact.2"></a>

* Medium risk
* Often triggers MFA challenge

***

### 5. Behavior-Based Signals <a href="#id-5.-behavior-based-signals" id="id-5.-behavior-based-signals"></a>

#### Description <a href="#description.3" id="description.3"></a>

Analyze user login behavior patterns.

#### Examples <a href="#examples.3" id="examples.3"></a>

* Unusual login time
* Multiple failed login attempts
* Abnormal login frequency
* Automated or scripted behavior patterns

#### Risk Impact <a href="#risk-impact.3" id="risk-impact.3"></a>

* Medium to High risk
* May result in MFA enforcement or temporary blocking

***

### 6. Policy Context Signals <a href="#id-6.-policy-context-signals" id="id-6.-policy-context-signals"></a>

#### Description <a href="#description.4" id="description.4"></a>

Apply organizational context and policy configuration.

#### Examples <a href="#examples.4" id="examples.4"></a>

* User role requires stronger authentication
* Workspace-specific security rules
* Elevated access or sensitive resource access
* Compliance-driven enforcement

#### Risk Impact <a href="#risk-impact.4" id="risk-impact.4"></a>

* Medium to High risk
* May enforce stronger MFA methods

***

### 7. Risk Evaluation Outcome <a href="#id-7.-risk-evaluation-outcome" id="id-7.-risk-evaluation-outcome"></a>

Each login attempt is evaluated in real time.

| **Risk Level** | **Outcome** |
| -------------- | ----------- |

| **Risk Level** | **Outcome**                  |
| -------------- | ---------------------------- |
| Low            | Standard authentication      |
| Medium         | Step-up authentication (MFA) |
| High           | Strong MFA or access blocked |

> Risk thresholds are configurable at the organization level.

***

### 8. User Transparency and Experience <a href="#id-8.-user-transparency-and-experience" id="id-8.-user-transparency-and-experience"></a>

* Users are guided clearly when additional verification is required
* Risk-based challenges are contextual and non-intrusive
* Legitimate users can proceed after successful verification


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oten.gitbook.io/identity-support/user-guide/business-account/business-owner-default-authority/security-and-governance/enforcing-stronger-authentication-for-risky-login-behavior/risk-detection-signals.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.