Alert title: “Problematic MFA” (Problematic Multi Factor Authentication)
Description: Alerts if a user is suspected of having problems with Multi Factor Authentication (MFA)
Options:
- It is possible to ignore users
- It is possible to set the total MFA failures count at which the alert is triggered
- It is possible to set the number of failures from unique IP’s at which the alert is triggered
- It is possible to set the number of failures from unique IP’s, which don’t go on to any successful logins (at which the alert is triggered). This is like the above, however typically set lower
The problem: This alert is triggered when there is an unhealthy amount of Multi-Factor-Authentication (MFA) failures.
Impact: This may be a related to a user(s) that has problems with the MFA process, or, an indication of an account that is otherwise compromised, except for MFA
Suggested steps: Engage a technician to confirm that the alert is accurate. Either provider end-user support (if user help is required) – or undertake mitigation steps if it is an otherwise compromised account.