Okta weak MFA fallback
Description
AlphaSOC detected a user authenticating with a weak multi-factor authentication (MFA) method after previously using stronger factors. This detection triggers when a user who has historically authenticated using stronger factors such as Okta Verify push notifications, TOTP, or hardware security keys falls back to a weaker method.
Impact
Fallback to weak MFA methods may indicate an attacker attempting to authenticate with compromised credentials while circumventing stronger authentication controls. Weak factors are more vulnerable to interception and social engineering, potentially allowing unauthorized access to the user's account and associated applications.
Severity
| Severity | Condition |
|---|---|
Informational | User with strong MFA history authenticates using a weak factor |
Investigation and Remediation
Review the Okta System Log to identify the authentication event, including the user, source IP address, and the specific weak factor used. Determine whether the user initiated the fallback intentionally or if the request originated from an unexpected location or device. Contact the user to verify the authentication was legitimate. If unauthorized access is suspected, revoke active sessions, reset credentials, and re-enroll MFA devices.