MFA Playbook
Attackers can exploit and misuse multi-factor authentication (MFA) alerts to gain access to your systems. Below are some common MFA attack vectors and guidance on how to investigate them.
Find log events of interest
The following log event types are relevant when investigating an MFA attack. They are found in the Auth0 tenant logs.
| Log Event Type | Description |
|---|---|
gd_auth_failed |
Multi-factor authentication failed. This could be a system failure or could be a user’s incorrect code entry when they used SMS/voice/Email/TOTP as an MFA factor. Frequent failures indicate an attack or an MFA misconfiguration. |
gd_auth_fail_email_verification |
A high frequency of email verification failed log event types can indicate malicious activity or tenant misconfiguration. |
gd_auth_rejected, gd_send_pn and gd_send_pn_failure |
Frequent push events and push events without responses can indicate MFA fatigue attacks (T1621). |
gd_otp_rate_limit_exceed |
Too many MFA failures over a short period of time can indicate automated attacks. |
gd_recovery_failed |
Repeated MFA recovery failures can indicate attacker attempts to circumvent or replace additional authentication factors. |
gd_send_sms, gd_send_sms_failure, gd_send_voice, and gd_send_voice_failure |
A high frequency of these events indicates SMS pumping or toll fraud attacks. It can also indicate attempts to circumvent SMS/voice as a factor. |
gd_unenroll |
Large scale MFA device disenrollment can indicate successful account takeover campaigns. |
Mitigation strategies
The following are example responses to attacks against MFA:
Migrate to stronger MFA options by replacing SMS/voice-based MFA with OTP or Webauthn to mitigate SMS pumping or toll fraud attacks.
Enhance SMS/Voice Provider Security by implementing fraud protection like Twilio's Preventing Fraud in Verify when using SMS/voice MFA.
Avoid MFA fatigue by enforcing push notification rate limits.