---
title: Okta MFA reset for user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Okta MFA reset for user
---

# Okta MFA reset for user
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.

## Strategy{% #strategy %}

This rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:

- `user.mfa.factor.reset_all`

An attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.

## Triage and response{% #triage-and-response %}

1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.
1. If the change was not made by the user:
   - Disable the affected user accounts.
   - Rotate user credentials.
   - Return targeted users MFA factors to the last known good state.
   - Begin your organization's incident response process and investigate.
1. If the change was made by the user:
   - Determine if the user was authorized to make that change.
   - If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.
   - If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.