MFA Activity report

The MFA Activity report provides an insight into the MFA trends in your org. You can use this report to understand the authentication methods your users use for accessing Okta and Okta-protected apps.

The report also provides information about the characteristics of authenticators, helping you measure how phishing-resistant your org is.

Source data for this report is refreshed periodically during the day. Recent activity may take some time to appear in the report. MFA events that use the Classic Engine APIs such as /api/v1/authn or /api/v1/radius aren’t included in this report.

Run the report

  1. In the Admin Console, go to ReportsReports.

  2. On the Reports page, go to Multifactor Authenticator and click MFA Events. The MFA Activity report page opens.

  3. Click Edit Filters to filter the report by duration. The default filter is the last 24 hours. You can select a duration of up to the last 90 days.

  4. Optional. Click CSV Export to download the report as a CSV file. You can also see this report in the Event Details table on the page.


The report shows the total number of authentication events during the selected time frame that match the set filter criteria. It also shows how many of these events were phishing-resistant, the number of users using phishing-resistant authentication, and the percentage of phishing-resistant events in the selected data set.

These events are presented as three charts:

  1. Authentication activity over time: This chart shows the number of authentication events based on the characteristic of the authentication method. For example, Phishing resistant, Passwordless, and User verifying.

  2. Authenticator methods by intent: This chart shows different authenticators used for authentication, enrollment, recovery, and account unlock. For example, Okta Verify, YubiKey, or Google Authenticator. This chart refers to individual authenticators used in MFA events. Each event may include more than one authenticator.

  3. Authenticator properties for top 10 apps: This chart shows the characteristics of the authentication events used for the top 10 apps in your orgs that users accessed. For example, Phishing resistant, Passwordless, and User verifying.

The report also includes the Event Details table, which provides information about each matching event. This includes details such as the user’s name, intent, authenticator, and target. You can show or hide fields in this table by clicking the gear icon.