Adaptive MFA Log Events

Your tenant logs contain entries for successful and failed login events including information related to Adaptive MFA risk assessment scores. These are the same entries as those that can be used in rule context objects. The Adaptive MFA entries have the following structure:

{
  "date": "2020-06-26T15:12:43.654Z",
  "type": "s",
  "details": {
    "riskAssessment": {
      "confidence": "high",
      "assessments": {
        "UntrustedIP": {
          "confidence": "high",
          "code": "not_found_on_deny_list"
    	},
    	"NewDevice": {
      	  "confidence": "medium",
      	  "code": "partial_match",
          "details": {
            "device": "unknown",
            "useragent": "known",
          }
    	},
    	"ImpossibleTravel": {
      	  "confidence": "high",
      	  "code": "minimal_travel_from_last_login"
    	}
      }
    }
  },
  "description": "Successful login"
}

Was this helpful?

/

Here is an example:

{
  "date": "2020-06-24T20:24:39.412Z",
  "type": "s",
  "description": "Successful login",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_16Tpc6YqlWZ4HCut",
  "client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
  "client_name": "jwt.io",
  "ip": "10.12.13.1",
  "client_ip": null,
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
  "details": {
    "prompts": [
      {
        "name": "prompt-authenticate",
        "initiatedAt": null,
        "completedAt": 1593030278513,
        "connection": "Username-Password-Authentication",
        "connection_id": null,
        "strategy": "auth0",
        "identity": "5ee10b1ca85332004e44ce3e",
        "stats": {
          "loginsCount": 66
        },
        "elapsedTime": null
      },
      {
        "name": "login",
        "flow": "universal-login",
        "initiatedAt": 1593030268561,
        "completedAt": 1593030278558,
        "timers": {
          "rules": 336
        },
        "user_id": "auth0|5ee10b1ca85332004e44ce3e",
        "user_name": "user@josh.local.dev.auth0.com",
        "elapsedTime": 9997
      }
    ],
    "initiatedAt": 1593030268550,
    "completedAt": 1593030279374,
    "elapsedTime": 10824,
    "session_id": "dKvR03IjVSNLPaVLqVS-FBuX87z0bBoE",
    "riskAssessment": {
      "confidence": "medium",
      "assessments": {
        "UntrustedIP": {
          "confidence": "high",
          "code": "ip_not_found"
        },
        "NewDevice": {
          "confidence": "medium",
          "code": "match_useragent",
          "details": {
            "device": "unknown",
            "useragent": "known",
          }
        },
        "ImpossibleTravel": {
          "confidence": "low",
          "code": "missing_geoip"
        }
      }
    },
    "stats": {
      "loginsCount": 66
    }
  },
  "hostname": "josh.local.dev.auth0.com",
  "user_id": "auth0|5ee10b1ca85332004e44ce3e",
  "user_name": "user@josh.local.dev.auth0.com",
  "strategy": "auth0",
  "strategy_type": "database"
}

Was this helpful?

/

Attack protection details

In addition to providing information for rules execution, Auth0 includes adaptive MFA attack protection information to your tenant logs. The same data structure that appears in rules appears in the tenant logs:

{
  "date": "2020-06-26T15:12:43.654Z",
  "type": "s",
  "details": {
	"anomalyDetection": {
  	  "confidence": "high",
  	  "assessments": {
    	    "UntrustedIP": {
      	    "confidence": "high",
      	    "reason": "ip not found",
      	    "code": "ip_not_found"
    	    },
    	    "NewDevice": {
      	    "confidence": "medium",
      	    "reason": "match useragent",
      	    "code": "match_useragent"
    	    },
    	    "ImpossibleTravel": {
      	    "confidence": "high",
      	    "reason": "minimal travel",
      	    "code": "minimal_travel_from_last_login"
    	    }
  	  }
	},
  },
  "description": "Successful login"
}

Was this helpful?

/

MFA prompt details

When adaptive MFA is enabled, users will be prompted for MFA enrollment on their first login attempt with a low confidence score. An mfa prompt may appear in the login event details. For example:

{
  "_id": "5ef3bb0a72487a0047c32959",
  "date": "2020-06-24T20:43:54.159Z",
  "type": "s",
  "description": "Successful login",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_16Tpc6YqlWZ4HCut",
  "client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
  "client_name": "jwt.io",
  "ip": "10.12.13.1",
  "client_ip": null,
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
  "details": {
    "prompts": [
      {
        "name": "prompt-authenticate",
        "completedAt": 1593031413909,
        "connection": "Username-Password-Authentication",
        "strategy": "auth0",
        "identity": "5ee10b1ca85332004e44ce3e",
        "stats": {
          "loginsCount": 67
        },
        "elapsedTime": null
      },
      {
        "name": "login",
        "flow": "universal-login",
        "initiatedAt": 1593031371948,
        "completedAt": 1593031413953,
        "timers": {
          "rules": 443
        },
        "user_id": "auth0|5ee10b1ca85332004e44ce3e",
        "user_name": "user@josh.local.dev.auth0.com",
        "elapsedTime": 42005
      },
      {
        "name": "mfa",
        "flow": "universal-mfa",
        "initiatedAt": 1593031414863,
        "completedAt": 1593031433795,
        "performed_acr": [
          "http://schemas.openid.net/pape/policies/2007/06/multi-factor"
        ],
        "performed_amr": [
          "mfa"
        ],
        "provider": "guardian",
        "elapsedTime": 18932
      }
    ],
    "initiatedAt": 1593031371938,
    "completedAt": 1593031434151,
    "elapsedTime": 62213,
    "session_id": "ulYRdsS1F4wIKLpUfQDfhyXgKVJqJaEv",
    "riskAssessment": {
      "confidence": "medium",
      "assessments": {
        "UntrustedIP": {
          "confidence": "high",
          "code": "ip_not_found"
        },
        "NewDevice": {
          "confidence": "medium",
          "code": "match_useragent",
          "details": {
            "device": "unknown",
            "useragent": "known",
          }
        },
        "ImpossibleTravel": {
          "confidence": "low",
          "code": "missing_geoip"
        }
      }
    },
    "stats": {
      "loginsCount": 67
    }
  },
  "hostname": "josh.local.dev.auth0.com",
  "user_id": "auth0|5ee10b1ca85332004e44ce3e",
  "user_name": "user@josh.local.dev.auth0.com",
  "strategy": "auth0",
  "strategy_type": "database"
}

Was this helpful?

/

MFA provider details

Events may appear for certain MFA providers. Here is an example that includes OTP Auth Succeeded event.

{
  "_id": "5ef3bb0922b43d004844af00",
  "date": "2020-06-24T20:43:53.758Z",
  "type": "gd_auth_succeed",
  "description": "Guardian - Second factor authentication succeed (totp)",
  "ip": "10.12.13.1",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
  "details": {
    "request": {
      "method": "POST",
      "path": "/api/totp/configs/josh/authenticators/totp%7Cdev_3KQv6yQ06pLoksIe/verify",
      "query": {},
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
      "body": {
        "code": "********"
      },
      "ip": "10.12.13.1",
      "auth": {
        "subject": null,
        "strategy": "jwt_api2_internal_token",
        "scopes": [
          "read:authenticators",
          "verify:authenticator"
        ]
      }
    },
    "response": {
      "body": {},
      "statusCode": null
    },
    "authenticator": {
      "id": "totp|dev_3KQv6yQ06pLoksIe",
      "type": "totp"
    },
    "device_id": "v0:45e50ea0-b65b-11ea-9dd7-27e2c7f14291"
  },
  "user_id": "auth0|5ee10b1ca85332004e44ce3e"
}

Was this helpful?

/

Learn more