Okta Authentication Failed During MFA Challenge
Detection of failed authentication attempts during Okta MFA challenges, potentially indicating compromised credentials and attempts to bypass MFA.
This analytic focuses on identifying failed authentication attempts specifically during the Multi-Factor Authentication (MFA) challenge within an Okta environment. The detection mechanism analyzes Okta logs for events characterized by the user.authentication.auth_via_mfa signature, coupled with a failure action. This pattern is indicative of potential unauthorized access attempts where an attacker, possibly using compromised credentials, is encountering MFA as an obstacle. While not definitive proof of malicious activity, repeated or geographically diverse failures warrant further investigation. This detection is crucial for organizations relying on Okta for identity management, as it provides an early warning sign of potential account compromise and MFA bypass attempts. The relevant logs are expected to be ingested via the Splunk Add-on for Okta Identity Cloud.
Attack Chain
- Attacker gains access to valid credentials through phishing, credential stuffing, or other means (not directly observed in the logs).
- Attacker attempts to log into an Okta-protected application or service using the compromised credentials.
- Okta prompts the user for MFA as part of the authentication process.
- The attacker fails to provide valid MFA credentials. This failure is logged in the Okta logs with signature
user.authentication.auth_via_mfaand actionfailure. - The system records the failure event, including the source IP address and user account.
- The attacker may attempt multiple MFA bypass techniques (e.g., push bombing, SIM swapping) which could generate additional failed authentication events.
- If successful in bypassing MFA (not covered by this detection), the attacker gains unauthorized access to the application or service.
Impact
A successful MFA bypass can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the organization's network, and potentially ransomware deployment or data exfiltration. The number of victims and the specific sectors targeted depend on the attacker's objectives and the compromised account's privileges. Even unsuccessful attempts can indicate a broader credential compromise issue that needs investigation.
Recommendation
- Deploy the Sigma rule
Okta Failed MFA Authenticationto your SIEM and tune it to your environment to detect failed MFA attempts. - Investigate any alerts generated by the Sigma rule, focusing on users with multiple failed attempts or unusual source IP addresses.
- Monitor risk events for affected users using the "View risk events for the last 7 days" drilldown search.
- Use the Splunk Add-on for Okta Identity Cloud (referenced in the references section) to ensure proper ingestion of Okta logs.
Detection coverage 2
Okta Failed MFA Authentication
mediumDetects failed Okta authentication attempts during the MFA challenge.
Okta Failed MFA Authentication - Multiple Failures from Single IP
highDetects multiple failed Okta MFA attempts from the same source IP within a short timeframe.
Detection queries are available on the platform. Get full rules →