Okta MFA IP mismatch between challenge and verification
Description
AlphaSOC detected a mismatch in IP addresses between the Okta multi-factor authentication (MFA) challenge and verification stages. This occurs when a user initiates an MFA challenge from one IP address that exhibits anomalous characteristics, such as an unexpected autonomous system number (ASN) or user agent, but completes the verification from a different IP address. Known proxy services are exempt from this detection to reduce false positives.
Impact
This behavior may indicate a user account compromise. The IP mismatch suggests a threat actor has obtained valid credentials and successfully bypassed MFA, gaining unauthorized access to all applications and data accessible to the compromised account. This access could enable data exfiltration or other malicious actions within connected systems.
Severity
| Severity | Condition |
|---|---|
Low | Okta MFA IP mismatch between challenge and verification |
Investigation and Remediation
Review the Okta System Log to identify the user account and IP addresses involved. Contact the users to confirm whether they initiated the challenge. If unauthorized activity is suspected, immediately revoke all active sessions, reset the affected credentials, and require MFA device re-enrollment.
Known False Positives
- Network transitions during authentication