# MFA Flood

Detects potential MFA flood attacks. After attackers acquire account credentials, they may abuse the automatic generation of push notifications to MFA services (such as Duo Push, Microsoft Authenticator, Okta) to have the user grant access to their account. 

A user will fail this check if they have failed 5 or more authentications within a 1 minute timeframe.

<br>

**Recommended Actions**

Check with the user if the failed login attempts were initiated by the user.

Check for suspicious access to applications in the period after the MFA flood attack.

Check if the username was in any known data breaches and update the account password if needed.

**Default Check Settings**

Number of failed authentications:5

Timeframe minutes:1

**Compatibility**

[Duo](https://docs.oort.io/integrations/duo-security-integration)

[Microsoft Entra ID](https://docs.oort.io/integrations/azure-active-directory-integration)

[Okta](https://docs.oort.io/integrations/okta-data-integration)

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2F8FCv9PlM9VWnEFBdnnbc%2FMFA%20Flood.png?alt=media&#x26;token=1ab60389-3d9f-4346-9820-65ef56222492" alt=""><figcaption></figcaption></figure>

<br>