Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • MFA Metrics
  • Factor Usage and Enrollment
  • Factor usage by NIST assurance levels
  • MFA Enrollment
  • MFA Factors: In Use vs Unused
  • Passwordless Usage and Enrollment
  • Passwordless Enrollment
  • Passwordless Adoption
  • Sensitive App Authentication
  1. Dashboard

MFA Dashboard

PreviousOverview DashboardNextUnderstanding your users

Last updated 2 months ago

It is often difficult for organizations to understand the full picture around their end users' Multi-factor (MFA) behavior. Collecting and analyzing MFA data across multiple identity sources to identify gaps in coverage, unintended user behaviors, and to report on internal MFA rollouts or initiatives can be a difficult process, that is sometimes needed on a recurring basis. Identity teams are then left gluing together different reports in a very time consuming and manual way, just to make simple reports and visualizations that can be used to share updates with different internal stakeholders.

The MFA tab in the Identity Intelligence Dashboard aims to make this type of tracking and reporting easier with some pre-made widgets that provide insight into the MFA and Passwordless enrollment and usage activity across your connected identity sources, allowing you to quickly identify gaps and trends in adoption, which can contribute to potential security risks.

The MFA Dashboard displays metrics and visualizations on areas of interest including:

For information on functionality that exists across all Dashboard tabs, please refer back to our .

MFA Metrics

Purpose & Benefit: All organizations have an urgent need to understand their MFA posture across their various IAM platforms. These widgets provide current stats on coverage and trends of key MFA metrics.

There are 3 widgets, separated by them, that provide key metrics around MFA hygiene and threats

  • Priority Accounts - allows you to better understand the MFA adoption gaps for critical accounts (Admins and VIPs) in your organization that should be addressed immediately. Read more about

  • MFA Hygiene - highlights key MFA posture issues across your entire environment to help you prioritize and identify users to take action on so that you can reduce the risk of account compromise

  • MFA Threats - surfaces risky behavior related to MFA adoption that should be investigated and remediated

Selecting any of these numbers will take you to the corresponding Check Details page or to a pre-filtered Users page for further investigation on the specific users making up each value.

Factor Usage and Enrollment

When it comes to MFA Adoption, it is crucial to understand both enrollment AND usage patterns within your organization to be able to tell the full story.

Enrollment is Step 1, but it is not enough for a user to simply enroll an MFA factor. They also need to get to Step 2 - using their factors regularly to ensure they are securely authenticating into your environment.

Many organizations can have near perfect MFA enrollment across their user base, but when they look into it, they see that the MFA usage numbers do not match. Other organizations will swear that they have completely blocked the use of weak MFA factors like SMS and Phone calls, but when they look into it, they see that there are still users actively utilizing these factors regularly. These examples, and many others like it, often indicate a configuration issue that must be addressed which is why it is important to look at the holistic picture of enrollment and usage to get the most accurate sense of an organization's MFA adoption.

The MFA Dashboard tab has a few widgets to help understand current usage, as well as enrollment trends over time.

Factor usage by NIST assurance levels

Hovering over a segment in the pie chart will display a tool tip with the given assurance level and the count of users making up that segment.

MFA Enrollment

Hovering over any item in the graph will display a tool tip with the month and the count of users who enrolled a factor for each assurance level.

By default, this graph will show the MFA Enrollment metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see blank months in the past, which reflects that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

MFA Factors: In Use vs Unused

Purpose & Benefit: Quickly assess and compare the status of enrolled and in-use MFA factors and track migrations to stronger factors or other MFA usage anomalies.

An enabled factor is one that is available on a user's account and could be used (ie: user has enrolled this factor in their account) but is not necessarily being used. In use factors are those that have been used in the last 30 days. All In-use factors are enabled factors, but not all enabled factors are in use.

The MFA Factors: In Use vs Unused graph provides a visualization of the total count users per MFA Factor, broken down by factors enabled versus in use, and color coded by factor assurance level, to help you better understand which MFA factor types are most frequently configured and used across your organization, identify any unexpected behavior, and highlight users who could be utilizing more secure methods but are not.

Hovering over any item in the graph will display a tool tip with the factor name, assurance level, count of users using a given factor, count of users enabled but not using a given factor, and the total count of users enabled with this factor (ie: in use + unused users) Selecting a given segment (enabled but unused or in use) of one of the bars in this visualization will take you to the Users page, pre-filtered for that specific factor type and usage type.

By default, this widget is filtered to show In use and Enabled but unused Factor data. However, you can also use the available filter to change the graph to see either In Use factors only or Enabled but unused factors only. Selecting a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

Passwordless Usage and Enrollment

The MFA Dashboard also has widgets that look specifically at passwordless Adoption trends to help organization's understand the progress made, as well as an areas that are lagging behind expected adoption levels. Passwordless MFA methods are considered the most secure method for authentication as they are much more difficult for bad actors to compromise.

Like with general MFA Adoption, for a successful passwordless rollout, organizations need to compare passwordless factor enrollment rates to passwordless usage rates to get a full understanding of their organization's adoption and progress. If users have enrolled these more secure factors but continue to utilize weaker factors to authenticate, the organization has not successfully deployed passwordless.

Passwordless Enrollment

Similar to the general MFA Enrollment widget, the Passwordless Enrollment widget helps visualize the first step of any passwordless rollout project - user enrollment - and how the numbers change over time throughout the rollout. A user must enroll a passwordless authentication factor to be reflected in this graph.

Hovering over any item in the graph will display a tool tip with the month the count of users who enrolled a passwordless factor and the count of users who did not enroll a passwordless factor.

By default, this widget is filtered to show the number of users who have enrolled in any factor that is considered passwordless. However, you can also use the available filter to change the graph to see the enrollment numbers for specific passwordless factors that your users have enrolled in.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

By default, this graph will show the Passwordless Enrollment metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see blank months in the past, which reflects that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

Passwordless Adoption

The Passwordless Adoption widget helps visualize the second step of any passwordless rollout project - passwordless usage - and how the numbers change over time throughout the rollout. It is important to understand the volume of authentications that utilize a passwordless method compared to non-passwordless methods to identify if users are actually adopting the new, more secure methods, or if they continue to utilize old methods out of habit or because they are not being forced to move over.

Passwordless auths refers to active authentications done by an end user, utilizing a passwordless method. Non-Passwordless auths refers to all other active authentications done by an end user using other factors that are not passwordless. Non-active authentications done where the user is NOT prompted to authenticate are not included in either category (for ex: Auths via remembered devices or sessions)

Hovering over any item in the graph will display a tool tip with the month the percentage of active authentications that used a passwordless factor and the percentage of active authentications that used a non-passwordless factor.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

By default, this graph will show the Passwordless Adoption metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see months in the past which show 100% for non-passwordless auths, which may reflect that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

Sensitive App Authentication

When going through passwordless deployments, many organizations choose to start by enforcing these factor methods on the applications that are most critical to the business to ensure that the applications are well protected.

With the Sensitive App Authentication widget, it is now much easier to understand how often these applications are being accessed using passwordless methods and how often they are not, so that you can track adoption progress and remediate any gaps that are allowing non-passwordless authentications.

This widget shows authentication data for these apps over the last 30 days. It uses the same definitions for passwordless auths and non-passwordless auths as the Passwordless Adoption widget. Please refer to the documentation above for that widget to read the definitions.

Hovering over any item in the graph will display a tool tip with the application name, the count of active passwordless authentications and the count of active non-passwordless authentications.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

Note: This widget only displays a maximum of 10 sensitive applications. If there are more than 10 sensitive apps configured for your organization, the widget will display the 10 applications that have the highest number of total authentications.

This pie chart displays a break down of all factor usage per user, categorized by , over the last 30 days. For example, in the screenshot below, we can see that 29 users have used a Medium assurance factor at least 1 time over the last 30 days.

This bar graph provides a look into MFA Enrollment trends over time, categorized by. A user must enroll an MFA method to be reflected in this graph.

If you have not configured any sensitive applications for your organization, we recommend that explain how to so that you can add in important applications for your organization. Configuring your sensitive apps list is is important as this info is re-used in many ways across Identity Intelligence and will impact the data and results the platform provides.

📊
NIST Assurance Level
NIST Assurance Level
Dashboard documentation
MFA Hygiene and Threats
Factor Usage and Enrollment
Passwordless Usage and Enrollment
reading the documentation
priority accounts in our documentation