> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> How to protect yourself from MFA attacks

# MFA Playbook

Attackers can exploit and misuse <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=multi-factor+authentication">multi-factor authentication</Tooltip> (MFA) alerts to gain access to your systems. Below are some common MFA attack vectors and guidance on how to investigate them.

### Find log events of interest

The following log event types are relevant when investigating an MFA attack. They are found in the [Auth0 tenant logs](/docs/deploy-monitor/logs/log-event-type-codes).

<table class="table">
  <thead>
    <tr>
      <th>Log Event Type</th>
      <th>Description</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>gd\_auth\_failed</code></td>
      <td>Multi-factor authentication failed. This could be a system failure or could be a user’s incorrect code entry when they used SMS/voice/Email/TOTP as an MFA factor. Frequent failures indicate an attack or an MFA misconfiguration.</td>
    </tr>

    <tr>
      <td><code>gd\_auth\_fail\_email\_verification</code></td>
      <td>A high frequency of email verification failed log event types can indicate malicious activity or tenant misconfiguration.</td>
    </tr>

    <tr>
      <td><code>gd\_auth\_rejected</code>, <code>gd\_send\_pn</code> and <code>gd\_send\_pn\_failure</code></td>
      <td>Frequent push events and push events without responses can indicate MFA fatigue attacks (T1621).</td>
    </tr>

    <tr>
      <td><code>gd\_otp\_rate\_limit\_exceed</code></td>
      <td>Too many MFA failures over a short period of time can indicate automated attacks.</td>
    </tr>

    <tr>
      <td><code>gd\_recovery\_failed</code></td>
      <td>Repeated MFA recovery failures can indicate attacker attempts to circumvent or replace additional authentication factors.</td>
    </tr>

    <tr>
      <td><code>gd\_send\_sms</code>, <code>gd\_send\_sms\_failure</code>, <code>gd\_send\_voice</code>, and <code>gd\_send\_voice\_failure</code></td>
      <td>A high frequency of these events indicates SMS pumping or toll fraud attacks. It can also indicate attempts to circumvent SMS/voice as a factor.</td>
    </tr>

    <tr>
      <td><code>gd\_unenroll</code></td>
      <td>Large scale MFA device disenrollment can indicate successful account takeover campaigns.</td>
    </tr>
  </tbody>
</table>

## Mitigation strategies

The following are example responses to attacks against MFA:

* Migrate to stronger MFA options by replacing SMS/voice-based MFA with [OTP](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-otp-notifications-for-mfa) or [Webauthn](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn/configure-webauthn-device-biometrics-for-mfa) to mitigate SMS pumping or toll fraud attacks.
* Enhance SMS/Voice Provider Security by **i**mplementing fraud protection like Twilio's [Preventing Fraud in Verify](https://www.twilio.com/docs/verify/preventing-toll-fraud) when using SMS/voice MFA.
* Avoid MFA fatigue by enforcing push notification rate limits.
