Track MFA abandonment in the System Log

Early Access release. See Enable self-service features.

Multifactor authentication (MFA) abandonment refers to an authentication attempt that is stopped during the process because the user didn't complete the verification.

The reason for abandonment can be legitimate, but it could also indicate that an account is under attack. By tracking these abandoned MFA attempts in the System Log, you can gain insights into attack patterns and identify targeted accounts. This enables you to mitigate potential attacks.

There are many reasons why a legitimate user might not complete MFA verification. They might have issues with their device or an app, or they might lack connectivity. An attacker, however, might be trying to gain access to the account using stolen or guessed credentials. Their MFA verification fails if they don't have access to the MFA device or app, or if the MFA prompt is too difficult to intercept. Okta may also detect suspicious activity and prompt for additional verification. The attacker can't sign in because they can't satisfy the MFA challenges.

MFA outcomes

Abandoned MFA attempts are recorded in the System Log under the user.authentication.auth_via_mfa event. This event displays either UNANSWERED or ABANDONED outcomes.

  • UNANSWERED:
    • The user ignored some available security methods, but satisfied assurance requirements with other options. The user was granted a session.
    • This entry appears in the System Log when the user successfully signs in.
    • You can use the value of the AuthnRequestId field to search the sign-in trail for related events.
  • ABANDONED:
    • The user wasn't able to satisfy the MFA challenges on time, couldn't sign in, and therefore wasn't granted a session. The user may have also stopped trying to sign in.
    • Authentication and recovery requests expire when the user doesn't respond to the authentication challenge on time. This entry may appear in the System Log after 30 minutes of inactivity for each abandoned security method.
    • You can use the value of the AuthnRequestId field to search the sign-in trail for related events.

For both of these outcomes, refer to these fields for information to track potential security issues:

  • The time in the AuthenticatorMethodChallengeTime field shows when the challenge was presented to the user.
  • You can use the value of the AuthnRequestId field to search the sign-in trail for related events.