For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-oda.md. A documentation index is available at /llms.txt.

Okta MFA device assigned to multiple users

okta

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detects when the same device is registered as an MFA factor for multiple Okta user accounts within a short period.

Strategy

This rule monitors Okta logs for successful device.user.add events and tracks the number of distinct users (@usr.email) associated with the same device (@target.id). An MFA device should be unique to a single user. When the same device is enrolled across multiple accounts, it indicates that someone with access to those accounts is registering a single device they control as a shared authentication factor. This technique allows persistent access to all enrolled accounts through a single MFA device, bypassing the identity verification that MFA is designed to enforce. The detection pattern is detailed by the team at Okta in their public repository.

Triage and response

  • Identify the device registered under {{@target.id}} and determine its type, such as a phone, hardware token, or authenticator app.
  • Review the list of user accounts that had the device added and assess whether these accounts share a legitimate relationship, such as a shared service account or test environment.
  • Examine who initiated each device.user.add event to determine if a single actor enrolled the device across all affected accounts.
  • Check whether the affected user accounts show other signs of compromise, such as password resets, new session activity, or logins from unfamiliar locations.
  • Determine if any of the affected accounts have elevated privileges, such as administrative roles, that would increase the impact of unauthorized access.
  • Remove the shared device from all affected accounts and require each user to re-enroll their own individual MFA factor.