# MFA Flood

Detects potential MFA flood attacks. After attackers acquire account credentials, they may abuse the automatic generation of push notifications to MFA services (such as Duo Push, Microsoft Authenticator, Okta) to have the user grant access to their account.&#x20;

A user will fail this check if they have failed 5 or more authentications within a 1 minute timeframe.

<br>

**Recommended Actions**

Check with the user if the failed login attempts were initiated by the user.

Check for suspicious access to applications in the period after the MFA flood attack.

Check if the username was in any known data breaches and update the account password if needed.

**Default Check Settings**

Number of failed authentications:5

Timeframe minutes:1

**Compatibility**

[Duo](/integrations/duo-security-integration.md)

[Microsoft Entra ID](/integrations/azure-active-directory-integration.md)

[Okta](/integrations/okta-data-integration.md)

<figure><img src="/files/Q5qi3u2JyoQggPLT80mB" alt=""><figcaption></figcaption></figure>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/mfa-flood.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.