---
title: Okta MFA device assigned to multiple users
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta MFA device assigned to multiple
  users
---

# Okta MFA device assigned to multiple users
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects when the same device is registered as an MFA factor for multiple Okta user accounts within a short period.

## Strategy{% #strategy %}

This rule monitors Okta logs for successful `device.user.add` events and tracks the number of distinct users (`@usr.email`) associated with the same device (`@target.id`). An MFA device should be unique to a single user. When the same device is enrolled across multiple accounts, it indicates that someone with access to those accounts is registering a single device they control as a shared authentication factor. This technique allows persistent access to all enrolled accounts through a single MFA device, bypassing the identity verification that MFA is designed to enforce. The detection pattern is detailed by the team at [Okta](https://github.com/okta/customer-detections) in their public repository.

## Triage and response{% #triage-and-response %}

- Identify the device registered under `{{@target.id}}` and determine its type, such as a phone, hardware token, or authenticator app.
- Review the list of user accounts that had the device added and assess whether these accounts share a legitimate relationship, such as a shared service account or test environment.
- Examine who initiated each `device.user.add` event to determine if a single actor enrolled the device across all affected accounts.
- Check whether the affected user accounts show other signs of compromise, such as password resets, new session activity, or logins from unfamiliar locations.
- Determine if any of the affected accounts have elevated privileges, such as administrative roles, that would increase the impact of unauthorized access.
- Remove the shared device from all affected accounts and require each user to re-enroll their own individual MFA factor.