Hi everyone,
I’m trying to determine the best way to identify whether a login attempt was truly successful based on Okta logs.
At first glance, user.session.start seems like a good indicator, but it only reflects the start of the session and not whether the authentication was fully completed. Other events, like user.authentication.auth_via_mfa, may follow and fail, meaning the login wasn’t actually successful.
I also looked at user.authentication.verify, but it appears to log as “successful” even if the MFA challenge is invalid.
One approach could be checking for user.session.end after a timeout (e.g., 5 minutes) to infer an unsuccessful login, but this feels indirect.
So, what’s the most reliable way to determine if a user has fully authenticated and successfully logged in? Are there specific event combinations or best practices for this?
Thanks in advance!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.