Okta MFA number challenge failed
Description
AlphaSOC detected a failed Okta multi-factor authentication (MFA) number challenge attempt. This occurs when a user enters an incorrect number during the authentication process. While this may result from legitimate user error or confusion, challenge failure could also indicate that an attacker has obtained the user's credentials but does not have access to their trusted device displaying the correct number.
Impact
A failed MFA number challenge may indicate an attempt to compromise a user account. Although the authentication is blocked, number challenge failure may suggest that an adversary has obtained valid credentials. If the threat actor eventually succeeds in bypassing MFA, they could gain unauthorized access to all applications and data available to the compromised account.
Severity
| Severity | Condition |
|---|---|
Informational | Okta MFA number challenge failed |
Investigation and Remediation
Review the Okta System Log to identify the affected user account, IP address, and authentication patterns. Contact the users to confirm whether they initiated the challenge. If unauthorized activity is confirmed, immediately revoke all active sessions, reset the affected credentials, and require MFA device re-enrollment.