a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.

Techniques

Sample rules

Okta Authentication Failed During MFA Challenge

source: splunk
technicques:
- T1586
- T1586.003
- T1078
- T1078.004
- T1621

Description

The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is user.authentication.auth_via_mfa. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime  values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature  values(Authentication.method) as method  from datamodel=Authentication where  Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action 
| `drop_dm_object_name("Authentication")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| iplocation src 
| `okta_authentication_failed_during_mfa_challenge_filter`