Okta API calls indicating MFA modification
Description
AlphaSOC detected modifications to Okta multi-factor authentication (MFA) settings. Changes to MFA configurations may indicate an attempt to weaken security controls or bypass authentication requirements. Threat actors sometimes target MFA settings to create backdoors or remove additional verification requirements.
Impact
Unauthorized changes to MFA can allow adversaries to bypass authentication controls, potentially compromise user accounts, and gain unauthorized access to protected resources. This access could facilitate data theft, lateral movement through the network, and persistence in the environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, or user agent |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review the Okta audit logs to identify the user who made the MFA changes and the specific modifications that occurred. Verify that the changes align with approved change management processes. If unauthorized changes are found, revert the MFA configurations to secure settings, consider resetting affected users' credentials, and conduct access reviews. Document the incident details and consider enhancing monitoring of authentication policy changes.