<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007DvBlYCAVOkta Classic EngineAdministrationAnswered2024-04-16T12:24:27.000Z2021-10-10T05:06:40.000Z2022-05-09T14:11:51.000Z

e5e6c (e5e6c) asked a question.

October 10, 2021 at 5:06 AM
User MFA Bypass Attempt

We've been trying to understand under which situation will the "user.mfa.attempt_bypass" log be created to know if this could point to a possible security risk. So far, the only thing we've found is this:

https://support.okta.com/help/s/question/0D54z000078dAms/attempt-bypass-of-factor?language=en_US

 

In that thread, we're pointed to a page in the knowledge base where there's an explanation for a possible false positive and nothing else.

 

In what other case will this event show up?

Could this point at a possible attack or suspicious login attempt to an account?

 

  • 6 answers
  • 2.66K views

  • User16003432765503135491 (Vendor Management)

    Hi liran Ravich,

     

    This event is triggered when an MFA bypass is attempted. Most common is when the user goes to the end user's Settings page with an active session without getting prompted for MFA, but after the session expires (15 minutes), user tries to change a setting on that page. The user would be able to change the setting, but would not be able to save it as the actual session for MFA is expired already.

     

    In this case, event "user.mfa.attempt_bypass" would be shown in system logs along with "A bypass of MFA may have been attempted for this user" and "core.user_auth.mfa_bypass_attempted" in events API.

     

    This events are not necessarily referring to a suspicious activity, the user simply has to reload the page and authenticate if prompted for credentials so the session would be revalidated. 

    System logs event types can be found on our Event Types article.

     

    Thank You,

     

    Ovidiu Mihalache

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post

    • e5e6c (e5e6c)

      I'm trying to understand in what other cases besides the false positive you described above this event could be seen.

      Could these events point at a possible attempt to bypass the MFA by an attacker?

      • mktcq (mktcq)

        Did you ever find an answer, I'm also confused about the logging and explanation here. I also need to know the possible exceptions.

  • e5e6c (e5e6c)

    @User16003432765503135491 (Vendor Management)​ 

    I'm trying to understand in what other cases besides the false positive you described above this event could be seen.

    Could these events point at a possible attempt to bypass the MFA by an attacker?

  • slf73 (slf73)

    Hi Okta team, you'll need to explain this better. Will this event trigger only for a stale session update? I

    • slf73 (slf73)

      Please do not close this question without answering it.

This question is closed.
Loading
User MFA Bypass Attempt