Which type of authentication is typically NOT used for behavior detection in MFA?

Security tokens are typically used as a form of verification within the context of multi-factor authentication (MFA), but they do not play a role in behavior detection. Behavior detection in MFA relies on various factors that help assess the user's behavior and the context of the authentication attempt.

IP address, for example, is commonly used in behavior detection because it can identify the geographic location of the user and highlight any discrepancies between usual login patterns and current attempts. Device recognition also functions similarly; it analyzes the device being used to determine whether it's a trusted device or a potentially risky one. Geolocation takes this a step further by providing information about the physical location of the user at the time of authentication, adding an additional layer of context for assessing risk.

Security tokens, meanwhile, are generally static pieces of information—such as a password or a one-time code—that confirm a user's identity. They do not adapt to or monitor the user's behavior or the context of their logins, which is essential in behavior detection. Therefore, security tokens are not utilized for behavior detection in MFA, highlighting why this option stands out in the context of the question.