Find log events of interest
The following log event types are relevant when investigating an MFA attack. They are found in the Auth0 tenant logs.| Log Event Type | Description |
|---|---|
gd_auth_failed | Multi-factor authentication failed. This could be a system failure or could be a user’s incorrect code entry when they used SMS/voice/Email/TOTP as an MFA factor. Frequent failures indicate an attack or an MFA misconfiguration. |
gd_auth_fail_email_verification | A high frequency of email verification failed log event types can indicate malicious activity or tenant misconfiguration. |
gd_auth_rejected, gd_send_pn and gd_send_pn_failure | Frequent push events and push events without responses can indicate MFA fatigue attacks (T1621). |
gd_otp_rate_limit_exceed | Too many MFA failures over a short period of time can indicate automated attacks. |
gd_recovery_failed | Repeated MFA recovery failures can indicate attacker attempts to circumvent or replace additional authentication factors. |
gd_send_sms, gd_send_sms_failure, gd_send_voice, and gd_send_voice_failure | A high frequency of these events indicates SMS pumping or toll fraud attacks. It can also indicate attempts to circumvent SMS/voice as a factor. |
gd_unenroll | Large scale MFA device disenrollment can indicate successful account takeover campaigns. |
Mitigation strategies
The following are example responses to attacks against MFA:- Migrate to stronger MFA options by replacing SMS/voice-based MFA with OTP or Webauthn to mitigate SMS pumping or toll fraud attacks.
- Enhance SMS/Voice Provider Security by implementing fraud protection like Twilio’s Preventing Fraud in Verify when using SMS/voice MFA.
- Avoid MFA fatigue by enforcing push notification rate limits.