Okta MFA challenge without MFA app
Description
AlphaSOC detected an Okta multi-factor authentication (MFA) challenge sent to a user who doesn't have a registered MFA application. This indicates an authentication attempt where the user lacks the necessary secondary authentication method, which may indicate credential usage by an unauthorized party or a legitimate user who hasn't completed their MFA setup.
Impact
When credentials are used without a properly registered MFA application, there is a security gap in the authentication process. While the MFA challenge itself prevents immediate access, this situation requires investigation as it could represent an unauthorized access attempt using stolen credentials. If MFA can be bypassed or is not properly enforced, an adversary could potentially access resources protected by Okta single sign-on (SSO).
Severity
| Severity | Condition |
|---|---|
Informational | Okta MFA challenge without a MFA application |
Investigation and Remediation
Identify the affected user account and examine recent authentication patterns in the Okta logs. Determine whether this is a legitimate user who needs to complete MFA setup or a potential security incident. If suspicious activity is detected, consider temporarily locking the account while investigating. Ensure the legitimate user completes proper MFA device registration. Review Okta system logs for any related suspicious activities from the same source. Consider implementing policies that require MFA app registration as part of the onboarding process before granting full system access.