MFA Playbook

Attackers can exploit and misuse multi-factor authentication (MFA) alerts to gain access to your systems. Below are some common MFA attack vectors and guidance on how to investigate them.

Find log events of interest

The following log event types are relevant when investigating an MFA attack. They are found in the Auth0 tenant logs.

Log Event Type Description
gd_auth_failed Multi-factor authentication failed. This could be a system failure or could be a user’s incorrect code entry when they used SMS/voice/Email/TOTP as an MFA factor. Frequent failures indicate an attack or an MFA misconfiguration.
gd_auth_fail_email_verification A high frequency of email verification failed log event types can indicate malicious activity or tenant misconfiguration.
gd_auth_rejected, gd_send_pn and gd_send_pn_failure Frequent push events and push events without responses can indicate MFA fatigue attacks (T1621).
gd_otp_rate_limit_exceed Too many MFA failures over a short period of time can indicate automated attacks.
gd_recovery_failed Repeated MFA recovery failures can indicate attacker attempts to circumvent or replace additional authentication factors.
gd_send_sms, gd_send_sms_failure, gd_send_voice, and gd_send_voice_failure A high frequency of these events indicates SMS pumping or toll fraud attacks. It can also indicate attempts to circumvent SMS/voice as a factor.
gd_unenroll Large scale MFA device disenrollment can indicate successful account takeover campaigns.

Mitigation strategies

The following are example responses to attacks against MFA:

  • Migrate to stronger MFA options by replacing SMS/voice-based MFA with OTP or Webauthn to mitigate SMS pumping or toll fraud attacks.

  • Enhance SMS/Voice Provider Security by implementing fraud protection like Twilio's Preventing Fraud in Verify when using SMS/voice MFA.

  • Avoid MFA fatigue by enforcing push notification rate limits.