This article clarifies when the Attempt bypass of factor event is recorded in the Okta System Log. The event appears when users attempt to enroll in Multi-Factor Authentication (MFA) via the Settings page after the user session expires.
The following event is recorded in the Okta System Log:
Display Message: Attempt bypass of factor
Event Type: user.mfa.attempt_bypass
Outcome Result: SUCCESS
debugContext.debugData.url: /user/settings/factors/setup?factorType=<type>
LegacyEventType: core.user_auth.mfa_bypass_attempted
- System Log
- Multi-Factor Authentication (MFA)
The issue occurs due to the timing of the MFA enrollment attempt in correlation with the session expiration.
The event can be monitored in the Okta System Log under the requestUri. Use the following query to search for this event:
eventType eq "user.mfa.attempt_bypass" and debugContext.debugData.requestUri eq "/user/settings/factors/setup"
To observe the event, follow these steps:
-
Navigate to the Settings page after attempting to authenticate with an MFA authenticator to create the session.
-
Wait for 15 minutes before attempting to enroll in another MFA authenticator.
-
Ensure the window remains open and inactive without interaction on the Okta Dashboard Settings page.
-
Attempt to enroll in MFA. After 15 minutes, the enrollment attempt results in an error message, which triggers the event.
-
Observe the attempted factor in the System Logs under the Uri, such as
/user/settings/factors/setup?factorType=<type>.
