Okta MFA bypass attempt detected
Description
AlphaSOC detected an attempt to bypass multi-factor authentication (MFA) in Okta. This detection identifies activities where users or threat actors attempt to circumvent the required second authentication factor, potentially indicating unauthorized access attempts to protected resources.
Impact
A successful MFA bypass allows adversaries to authenticate as the targeted user without completing the second authentication factor, gaining access to applications and data available to that account. This access enables threat actors to impersonate legitimate users and access protected resources, potentially facilitating further malicious activities depending on the compromised account's permissions.
Severity
| Severity | Condition |
|---|---|
Medium | Okta MFA bypass attempt detected |
Investigation and Remediation
Review the Okta System Log to gather details about the event, including the affected user account and source IP address. Monitor the user account for other suspicious activities. If compromise is confirmed, immediately revoke active sessions, reset MFA configuration and credentials for the affected account, and require re-enrollment of MFA devices.