<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Capture MFA Abandoned Attempts Using Okta API and System Logs
Apr 1, 2026
Insights and Reporting
Okta Identity Engine
Overview

This article provides administrators with instructions for monitoring and querying abandoned Multi-Factor Authentication (MFA) attempts using the Okta System Log API. This can be useful for creating custom reports to identify users who do not complete the MFA process.

Applies To
  • Okta System Log API
  • Custom Reports
  • Okta Identity Engine (OIE)
  • Multi-Factor Authentication (MFA)
Solution

To identify users who have abandoned the MFA authentication process, query the Okta System Log. The logs will show an "ABANDONED" result for the user.authentication.auth_via_mfa event type.

Use the following API query to filter for these specific events: {{baseUrl}}/api/v1/logs?filter=eventType eq "user.authentication.auth_via_mfa" and (outcome.result eq "ABANDONED").

Explanation of the Query

Postman

Event for system log: eventType eq "user.authentication.auth_via_mfa" and (outcome.result eq "ABANDONED").

System log


This query retrieves a list of all MFA attempts that the end-user did not successfully complete. This data can then be used to build custom reports for monitoring and administrative purposes.

Recommended content

Still looking for help?
Loading
How to Capture MFA Abandoned Attempts Using Okta API and System Logs