Skip to main content

Okta MFA challenge without MFA app

ID:okta_mfa_challenge_without_mfa_app
Data type:Okta
Severity:
Informational
MITRE ATT&CK:TA0003:T1556.006

Description

AlphaSOC detected an Okta multi-factor authentication (MFA) challenge sent to a user who doesn't have a registered MFA application. This indicates an authentication attempt where the user lacks the necessary secondary authentication method, which may indicate credential usage by an unauthorized party or a legitimate user who hasn't completed their MFA setup.

Impact

When credentials are used without a properly registered MFA application, there is a security gap in the authentication process. While the MFA challenge itself prevents immediate access, this situation requires investigation as it could represent an unauthorized access attempt using stolen credentials. If MFA can be bypassed or is not properly enforced, an adversary could potentially access resources protected by Okta single sign-on (SSO).

Severity

SeverityCondition
Informational
Okta MFA challenge without a MFA application

Investigation and Remediation

Identify the affected user account and examine recent authentication patterns in the Okta logs. Determine whether this is a legitimate user who needs to complete MFA setup or a potential security incident. If suspicious activity is detected, consider temporarily locking the account while investigating. Ensure the legitimate user completes proper MFA device registration. Review Okta system logs for any related suspicious activities from the same source. Consider implementing policies that require MFA app registration as part of the onboarding process before granting full system access.