Multiple rejected Okta MFA Push notifications for a single user
Description
AlphaSOC detected multiple rejected Okta multi-factor authentication (MFA) push notifications for a single user. While multiple rejections may occur due to legitimate user error or technical issues, this pattern could also indicate an MFA fatigue attack where an adversary repeatedly triggers push notifications hoping the user will eventually approve a request out of frustration or confusion.
Impact
If a user approves an MFA request during a fatigue attack, the threat actor gains unauthorized access to the user's account and applications. This access may enable data theft, privilege escalation, or lateral movement across the organization's systems. This technique uses social engineering to bypass standard authentication security controls.
Severity
| Severity | Condition |
|---|---|
Low | Multiple rejected Okta MFA Push notifications for a single user |
Investigation and Remediation
Contact the user to confirm whether they initiated any login attempts. Review authentication logs for source IP addresses and geolocation data. Look for other suspicious activity on the account, such as failed login attempts or unexpected access patterns. If a compromise is suspected, reset passwords and revoke all active sessions. Implement number matching for Okta MFA to prevent future attacks. Add rate limiting for authentication attempts and configure alerts for repeated MFA denials.
Known False Positives
- Network connectivity problems affecting MFA delivery
- Users accidentally rejecting legitimate MFA requests due to confusion
- Mobile device issues preventing proper MFA notification display