> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/business-owner-default-authority/security-and-governance/enforcing-stronger-authentication-for-risky-login-behavior/risk-detection-signals.md).

# Risk Detection signals

### Scope <a href="#scope" id="scope"></a>

This document describes the **risk detection signals** used to evaluate login attempts for **Business Accounts**.

Risk detection signals are used to determine whether a login attempt should:

* Be allowed normally
* Require step-up authentication
* Be blocked entirely

These signals operate as part of **Enforced Security Policies**.

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you want to understand *why* a user is asked to perform additional authentication, start here.

Risk detection signals explain **what the system looks at** when deciding whether a login attempt is risky.

***

### Purpose <a href="#purpose" id="purpose"></a>

Risk detection signals enable the system to:

* Detect suspicious or abnormal login behavior
* Reduce account takeover risk
* Apply stronger authentication only when necessary
* Balance security with user experience

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before risk detection can be applied:

* The organization must have **Enforced Security Policies** enabled
* Users must sign in through the organization-managed identity provider
* Login context data (IP, device, location) must be available

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

***

### 1. Categories of Risk Detection Signals <a href="#id-1.-categories-of-risk-detection-signals" id="id-1.-categories-of-risk-detection-signals"></a>

Risk signals are grouped into the following categories:

`Risk Detection Signals ├── IP-Based Signals ├── Location-Based Signals ├── Device-Based Signals ├── Behavior-Based Signals └── Policy Context Signals`

***

### 2. IP-Based Signals <a href="#id-2.-ip-based-signals" id="id-2.-ip-based-signals"></a>

#### Description <a href="#description" id="description"></a>

Evaluate whether the source IP address is suspicious or unusual.

#### Examples <a href="#examples" id="examples"></a>

* New IP address not previously associated with the user
* IP outside of trusted IP ranges
* IP address on denylist or known malicious range
* Rapid IP changes during a single session

#### Risk Impact <a href="#risk-impact" id="risk-impact"></a>

* Medium to High risk
* May trigger MFA or access denial

***

### 3. Location-Based Signals <a href="#id-3.-location-based-signals" id="id-3.-location-based-signals"></a>

#### Description <a href="#description.1" id="description.1"></a>

Detect abnormal geographic login behavior.

#### Examples <a href="#examples.1" id="examples.1"></a>

* Login from a new country or region
* Impossible travel scenarios (rapid country changes)
* Location inconsistent with organization policies

#### Risk Impact <a href="#risk-impact.1" id="risk-impact.1"></a>

* Medium to High risk
* May trigger step-up authentication

***

### 4. Device-Based Signals <a href="#id-4.-device-based-signals" id="id-4.-device-based-signals"></a>

#### Description <a href="#description.2" id="description.2"></a>

Evaluate whether the login device is trusted or recognized.

#### Examples <a href="#examples.2" id="examples.2"></a>

* New or unrecognized device
* Device fingerprint mismatch
* Unsupported or restricted platform
* Browser or OS changes

#### Risk Impact <a href="#risk-impact.2" id="risk-impact.2"></a>

* Medium risk
* Often triggers MFA challenge

***

### 5. Behavior-Based Signals <a href="#id-5.-behavior-based-signals" id="id-5.-behavior-based-signals"></a>

#### Description <a href="#description.3" id="description.3"></a>

Analyze user login behavior patterns.

#### Examples <a href="#examples.3" id="examples.3"></a>

* Unusual login time
* Multiple failed login attempts
* Abnormal login frequency
* Automated or scripted behavior patterns

#### Risk Impact <a href="#risk-impact.3" id="risk-impact.3"></a>

* Medium to High risk
* May result in MFA enforcement or temporary blocking

***

### 6. Policy Context Signals <a href="#id-6.-policy-context-signals" id="id-6.-policy-context-signals"></a>

#### Description <a href="#description.4" id="description.4"></a>

Apply organizational context and policy configuration.

#### Examples <a href="#examples.4" id="examples.4"></a>

* User role requires stronger authentication
* Workspace-specific security rules
* Elevated access or sensitive resource access
* Compliance-driven enforcement

#### Risk Impact <a href="#risk-impact.4" id="risk-impact.4"></a>

* Medium to High risk
* May enforce stronger MFA methods

***

### 7. Risk Evaluation Outcome <a href="#id-7.-risk-evaluation-outcome" id="id-7.-risk-evaluation-outcome"></a>

Each login attempt is evaluated in real time.

| **Risk Level** | **Outcome** |
| -------------- | ----------- |

| **Risk Level** | **Outcome**                  |
| -------------- | ---------------------------- |
| Low            | Standard authentication      |
| Medium         | Step-up authentication (MFA) |
| High           | Strong MFA or access blocked |

> Risk thresholds are configurable at the organization level.

***

### 8. User Transparency and Experience <a href="#id-8.-user-transparency-and-experience" id="id-8.-user-transparency-and-experience"></a>

* Users are guided clearly when additional verification is required
* Risk-based challenges are contextual and non-intrusive
* Legitimate users can proceed after successful verification
