Hi everyone,
I’m trying to determine the best way to identify whether a login attempt was truly successful based on Okta logs.
At first glance, user.session.start
seems like a good indicator, but it only reflects the start of the session and not whether the authentication was fully completed. Other events, like user.authentication.auth_via_mfa
, may follow and fail, meaning the login wasn’t actually successful.
I also looked at user.authentication.verify
, but it appears to log as “successful” even if the MFA challenge is invalid.
One approach could be checking for user.session.end
after a timeout (e.g., 5 minutes) to infer an unsuccessful login, but this feels indirect.
So, what’s the most reliable way to determine if a user has fully authenticated and successfully logged in? Are there specific event combinations or best practices for this?
Thanks in advance!