: View MFA Misconfigurations
Focus
Focus

View MFA Misconfigurations

Table of Contents

View MFA Misconfigurations

The Identity Security component of SSPM uses information from your identity provider to give you visibility into MFA enrollment and sign-in issues.
The Identity Security component of SSPM uses information from your identity provider to give you visibility into MFA enrollment and sign-in issues. Because compromised administrator accounts represent a greater threat to your organization than user accounts without administrator privileges, the Identity Security dashboard further separates the issues by administrators and non-administrators.
  1. To navigate to the Identity Security dashboard, select Posture SecurityIdentity.
  2. View the information for MFA.
    If at least one instance of the Microsoft Azure or Okta identity provider was already onboarded to SSPM, the Identity Security dashboard displays identity-based issues that it derived from the identity provider. If no instance of the Microsoft Azure or Okta identity provider has been onboarded to SSPM, you are prompted to Add Provider.
    If more than one identity provider instance is connected to SSPM, you can select a different Identity Provider from the list. You can also Add Provider to onboard a different Microsoft Azure or Okta instance.
  3. Inspect the information displayed in the upper section of the dashboard for a high-level summary of the problems that the Identity Security component detected in your MFA implementation. The top section of the dashboard displays the following information.
    MFA Enrollment Issues
    Displayed InformationDescription
    Users with no MFA
    The number of users who are not enrolled in any additional factors for MFA. If MFA enforcement policies are not configured for the identify provider, these users can access SaaS applications through the identity provider by using only one factor. If those credentials are compromised, there is no additional layer of security to prevent unauthorized access to their account. These users should enroll in a strong second factor for MFA.
    Users with weak MFA
    The number of users who are enrolled in one or more additional factors for MFA, but whose factors are not resistant to phishing, social engineering, or interception attacks. The weak MFA factors include factors such as email verification and short message service (SMS) verification. Weak second factors offer less protection than stronger factors, such as biometric login or a hardware key.
    If MFA enforcement policies on the identity provider are not configured to prevent sign-ins using only weak factors, then the account can be more easily compromised. These users should enroll in a strong second factor for MFA.
    MFA Sign-In Issues
    Displayed InformationDescription
    Sign-ins with weak MFA
    The number users who signed into SaaS applications by using only weak factors, which are not resistant to phishing, social engineering, or interception attacks.
    Although the users might have registered a strong second factor, such as biometric login or a hardware key, they used only a weak factors factors, such as email verification and short message service (SMS) verification, to sign in.
    Administrators should create or modify policies in the identity provider to require these users to sign in using a strong second factor for MFA.
    MFA misconfigurations by SaaS Application
    The number of sign-ins with no MFA or weak MFA, organized by SaaS application.
  4. Navigate to the User Details and MFA Configurations tab, which displays MFA information for each user managed by the identity provider. The displayed information includes the user's group memberships, enabled MFA types, and time since the user's last password change.
    To filter this table to show only users with particular MFA enrollment or sign-in issues, click any of the misconfiguration counts displayed in the upper section of the page, such as the number of users or administrators with no MFA or with weak MFA.
    In the table, you can also Add Filter to filter the table by user attributes, such as the MFA types enabled and the MFA strength.
    To export a CSV file with a list of the incidents, Download Report. The report will contain all users unless you applied a filter to the table.
  5. To view more information about a particular user's sign-in activities, navigate to the User Sign-in Activities tab and View Activity Log.
  6. Take action on MFA misconfigurations. Have users enroll in the strong second factors that your organization requires, and create or modify policies to close any MFA enforcement gaps.