LoFP LoFP / t1621

t1621

TitleTags
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
false positives have been minimized by removing attempts that result in 'mfa successfully completed messages', which were found to be generated when a user opts to use a different mfa method than the default. further reductions in notable events can be achieved through filtering 'mfa denied; duplicate authentication attempt' messages within the auth_msg field, as they could arguably be considered as false positives.
false positives may be generated by normal provisioning workflows for user device registration.
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed and monitor for any unusual activity.
users actually login but miss-click into the deny button when mfa prompt.