Triggers
- An account was observed disabling Multi-Factor Authentication (MFA) for another account.
Possible Root Causes
- An attacker is disabling MFA on an account to bypass this security control as a means of maintaining or acquiring additional access to the environment.
- Administrators may disable MFA for accounts used by automated processes or to temporarily enable users to access an environment after losing their second factor device.
Business Impact
- MFA is a critical security control that if bypassed may be indicative of an active threat in the environment or increase risk of the account becoming compromised in the future.
- Compromised accounts provide attackers with access to critical systems and data which may be stolen, modified, or deleted.
Steps to Verify
- Review the account and internal policy to determine if MFA should be enabled for this account.
- Verify the action of disabling MFA on this account was intentional and followed internal security policies and change control processes.