> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. > How to protect yourself from MFA attacks # MFA Playbook Attackers can exploit and misuse multi-factor authentication (MFA) alerts to gain access to your systems. Below are some common MFA attack vectors and guidance on how to investigate them. ### Find log events of interest The following log event types are relevant when investigating an MFA attack. They are found in the [Auth0 tenant logs](/docs/deploy-monitor/logs/log-event-type-codes). | Log Event Type | Description | | ---------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `gd_auth_failed` | Multi-factor authentication failed. This could be a system failure or could be a user’s incorrect code entry when they used SMS/voice/Email/TOTP as an MFA factor. Frequent failures indicate an attack or an MFA misconfiguration. | | `gd_auth_fail_email_verification` | A high frequency of email verification failed log event types can indicate malicious activity or tenant misconfiguration. | | `gd_auth_rejected`, `gd_send_pn` and `gd_send_pn_failure` | Frequent push events and push events without responses can indicate MFA fatigue attacks (T1621). | | `gd_otp_rate_limit_exceed` | Too many MFA failures over a short period of time can indicate automated attacks. | | `gd_recovery_failed` | Repeated MFA recovery failures can indicate attacker attempts to circumvent or replace additional authentication factors. | | `gd_send_sms`, `gd_send_sms_failure`, `gd_send_voice`, and `gd_send_voice_failure` | A high frequency of these events indicates SMS pumping or toll fraud attacks. It can also indicate attempts to circumvent SMS/voice as a factor. | | `gd_unenroll` | Large scale MFA device disenrollment can indicate successful account takeover campaigns. | ## Mitigation strategies The following are example responses to attacks against MFA: * Migrate to stronger MFA options by replacing SMS/voice-based MFA with [OTP](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-otp-notifications-for-mfa) or [Webauthn](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn/configure-webauthn-device-biometrics-for-mfa) to mitigate SMS pumping or toll fraud attacks. * Enhance SMS/Voice Provider Security by implementing fraud protection like Twilio's [Preventing Fraud in Verify](https://www.twilio.com/docs/verify/preventing-toll-fraud) when using SMS/voice MFA. * Avoid MFA fatigue by enforcing push notification rate limits.