Successful Okta MFA login after multiple MFA pushes
Description
AlphaSOC detected a successful Okta multi-factor authentication (MFA) login following multiple MFA push notification attempts. This pattern may indicate an MFA push fatigue attack, in which threat actors repeatedly trigger MFA notifications until the user accepts one out of annoyance or exhaustion. A successful login after multiple failed attempts could suggest unauthorized access through stolen credentials or social engineering tactics.
Impact
Successful attacks that bypass multi-factor authentication protections, such as MFA push fatigue attacks, may grant adversaries unauthorized access to corporate systems and sensitive data. Compromised credentials paired with effective social engineering can amplify the risk of data theft, lateral movement, and privilege escalation.
Severity
| Severity | Condition |
|---|---|
Medium | Successful Okta MFA login after multiple MFA pushes |
Investigation and Remediation
Review Okta logs for the IP address and device details of the authentication attempts. Temporarily disable the affected user account and examine activity logs for unauthorized actions after login. Reset the password, revoke sessions, and investigate potential credential theft or social engineering campaigns. Enable number matching for Okta Verify push notifications and implement risk-based adaptive MFA policies. Review email logs for suspicious messages and educate users about MFA push notification attacks.
Known False Positives
- Users accidentally triggering multiple MFA pushes due to connection issues