Skip to main content

Okta API calls indicating Okta MFA modification

ID:okta_mfa_modified
Data type:Okta
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1098.005

Description

AlphaSOC detected modifications to Okta multi-factor authentication (MFA) settings. Changes to MFA configurations may indicate an attempt to weaken security controls or bypass authentication requirements. Threat actors sometimes target MFA settings to create backdoors or remove additional verification requirements.

Impact

Unauthorized changes to MFA can allow adversaries to bypass authentication controls, potentially compromise user accounts, and gain unauthorized access to protected resources. This access could facilitate data theft, lateral movement through the network, and persistence in the environment.

Severity

SeverityCondition
Informational
Unexpected action, ASN, or user agent
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review the Okta audit logs to identify the user who made the MFA changes and the specific modifications that occurred. Verify that the changes align with approved change management processes. If unauthorized changes are found, revert the MFA configurations to secure settings, consider resetting affected users' credentials, and conduct access reviews. Document the incident details and consider enhancing monitoring of authentication policy changes.