An Okta application that requires Multi-Factor Authentication (MFA) records an incomplete sign-in event in the System Log when a user abandons the authentication flow. This occurs because the initial password verification triggers a session start event, but the lack of MFA completion prevents the final verification event. Administrators reviewing the logs verify that unauthorized access does not occur, as the system denies access without the final verification.
Administrators observe the following event, indicating a user attempting to access the application: "user.authentication.auth_via_mfaauthenticated with Password (AuthenticatorEnrollment)".
This event raises concerns regarding a potential unauthorized sign-in by a threat actor.
The following images represent an example of an MFA policy for an application and the resulting log event:
MFA Policy for Application:
System Log for user accessing application:
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Multi-Factor Authentication (MFA)
- System Log
Why does the System Log display an incomplete sign-in event?
The "user.session.start" event fires after the system verifies the first authentication method. In this scenario, the first method constitutes the password. The "user.authentication.verify" event fires only after the user successfully completes the entire sign-in flow.
How do administrators confirm an abandoned sign-in attempt?
Follow these steps to interpret the event and confirm that the system blocks unauthorized access:
- Navigate to the System Log within the Okta Admin Console.
- Search for the user session to confirm that the log does not include the "user.authentication.verify" event.
- Conclude that the actor abandons the login flow at the MFA requirement stage due to the missing verification event.
- Confirm that the system acknowledges the valid password but does not receive the necessary MFA verification.
- Verify that the system actively denies access to the application.
