Comment on page

MFA Flood

Detects potential MFA flood attacks. After attackers acquire account credentials, they may abuse the automatic generation of push notifications to MFA services (such as Duo Push, Microsoft Authenticator, Okta) to have the user grant access to their account.
A user will fail this check if they have failed 5 or more authentications within a 1 minute timeframe.
Recommended Actions
Check with the user if the failed login attempts were initiated by the user.
Check for suspicious access to applications in the period after the MFA flood attack.
Check if the username was in any known data breaches and update the account password if needed.
Default Check Settings
Number of failed authentications:5
Timeframe minutes:1