Skip to content
Threat Feed
medium advisory

Okta Authentication Failed During MFA Challenge

Detection of failed authentication attempts during Okta MFA challenges, potentially indicating compromised credentials and attempts to bypass MFA.

This analytic focuses on identifying failed authentication attempts specifically during the Multi-Factor Authentication (MFA) challenge within an Okta environment. The detection mechanism analyzes Okta logs for events characterized by the user.authentication.auth_via_mfa signature, coupled with a failure action. This pattern is indicative of potential unauthorized access attempts where an attacker, possibly using compromised credentials, is encountering MFA as an obstacle. While not definitive proof of malicious activity, repeated or geographically diverse failures warrant further investigation. This detection is crucial for organizations relying on Okta for identity management, as it provides an early warning sign of potential account compromise and MFA bypass attempts. The relevant logs are expected to be ingested via the Splunk Add-on for Okta Identity Cloud.

Attack Chain

  1. Attacker gains access to valid credentials through phishing, credential stuffing, or other means (not directly observed in the logs).
  2. Attacker attempts to log into an Okta-protected application or service using the compromised credentials.
  3. Okta prompts the user for MFA as part of the authentication process.
  4. The attacker fails to provide valid MFA credentials. This failure is logged in the Okta logs with signature user.authentication.auth_via_mfa and action failure.
  5. The system records the failure event, including the source IP address and user account.
  6. The attacker may attempt multiple MFA bypass techniques (e.g., push bombing, SIM swapping) which could generate additional failed authentication events.
  7. If successful in bypassing MFA (not covered by this detection), the attacker gains unauthorized access to the application or service.

Impact

A successful MFA bypass can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the organization's network, and potentially ransomware deployment or data exfiltration. The number of victims and the specific sectors targeted depend on the attacker's objectives and the compromised account's privileges. Even unsuccessful attempts can indicate a broader credential compromise issue that needs investigation.

Recommendation

  • Deploy the Sigma rule Okta Failed MFA Authentication to your SIEM and tune it to your environment to detect failed MFA attempts.
  • Investigate any alerts generated by the Sigma rule, focusing on users with multiple failed attempts or unusual source IP addresses.
  • Monitor risk events for affected users using the "View risk events for the last 7 days" drilldown search.
  • Use the Splunk Add-on for Okta Identity Cloud (referenced in the references section) to ensure proper ingestion of Okta logs.

Detection coverage 2

Okta Failed MFA Authentication

medium

Detects failed Okta authentication attempts during the MFA challenge.

sigma tactics: credential_access techniques: T1078.004 sources: webserver, linux

Okta Failed MFA Authentication - Multiple Failures from Single IP

high

Detects multiple failed Okta MFA attempts from the same source IP within a short timeframe.

sigma tactics: credential_access techniques: T1078.004 sources: webserver, linux

Detection queries are available on the platform. Get full rules →