This article aims to explain different suspicious activity events that are logged.

• Multi-Factor Authentication (MFA)
• Activity Events

1. A bypass of MFA may have been attempted for this user.
   
   1. This event is logged when a user tries to enroll in Multi-Factor Authentication (MFA) from the Settings page after their session has expired.
   2. Okta treats this as a potential attempt to bypass the standard MFA process because the session is no longer active.
   3. This can happen if a user leaves the Settings page open and inactive, then tries to enroll in a new MFA factor after the session times out.
   4. The event is intended to help administrators monitor for possible MFA bypass attempts.
2. Failed ${factor} factor attempt.
   
   1. This event is logged when a user attempts to authenticate using a multi-factor authentication (MFA) method (such as Okta Verify, SMS, or another factor), but the attempt fails.
   2. The failure could be due to an incorrect code, a denied push notification, or any other reason that prevents the MFA verification from succeeding.

Related References

• Suspicious activity events