Generating a multi-factor authentication activity report

You can generate reports to show the multi-factor authentication activity in your IBM® Security Verify tenant.

Before you begin

  • You must have administrative permission or be a member of the helpdesk group to complete this task.
  • Log in to the IBM Security Verify administration console.

About this task

Table 1. MFA report information
Information Attributes Descriptions
Time Stamp time When the authentication request was made.
User
Username
data.username
Realm
data.realm
Includes the
Username
The Unique identifier for logging in to Verify. It can be the same as the email address of the user.
Realm
The identity source attribute that helps distinguish users from multiple identity sources that have the same username.

This information is displayed in the Users & Groups > Users tab, and in the Edit User dialog box.

For the following identity sources:
  • Cloud Directory, the realm value is cloudIdentityRealm.
  • IBMid, the realm value is www.ibm.com.
  • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity source.
  • OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity source.
MFA factor data.mfamethod
  • FIDO2
  • Generated: Client to figure out how to send generated OTP to the user.
  • Email OTP
  • IBM Verify push
  • Knowledge questions
  • QR Login
  • SMS OTP
  • TOTP
MFA device data.mfadevice
  • device ID
  • device name
  • mobile number
  • email address
Result data.result Success or failure.
Client IP data.origin The IP address of the device that made the authentication request. The details contain an X-Force IP report link to evaluate the threat value of the address.
Location
  • geoip.region_name
  • geoip.country_name
The geographical location, region, and country, where the authentication request was made.
Note: The region might not display accurately because of the way your network is configured. This issue is a known limitation.

Procedure

  1. Select Reports.
    The tiles for various reports are displayed. The MFA activity tile summarizes the multi-factor authentication information for the past 30 days.
  2. Select the View Report link on the MFA activity tile.
    If no report information is displayed, change the date range. See step 4.
    A summation of the results for MFA login attempts is displayed.
    • Success
    • Failure
    • Sent
    Note:

    Sent consists of email, SMS, and voice one-time password (OTP) factors only. Other factors such as QRCode, FIDO, TOTP, and other authenticator app challenges are not considered under Sent. They are shown as either Success or Failure. Sent provides a view into MFA types that are triggered by OTP events.

    A graphical representation of the total number of successful logins by method for the selected time period is displayed. The time period can be up to 90 days. The second graph displays the number of successful logins by method per day during that period.

    The summary report for the current day displays the following information for each event.
    • Time stamp
    • User
    • MFA factor
    • MFA device
    • Client IP
    • Result
    • Location

    Select an event to see the details that are associated with it. See Base service event details.

  3. Optional: Select Filters to filter the results.
    You can search by the following filters.
    Identity
    Filter selections are username and realm.
    Source
    Filter selections are client IP and location.
    Event
    Filter selections are MFA factor and result.
    You can use any combination of filters to refine your results. Select Apply filters to modify the report. The selected filters are displayed above the table. You can clear the filters by selecting the Reset link.
  4. Change the date range for the report.
    Select the From and To dates to display the calendar drop downs and select the dates for the report. You can't go back more than 90 days.
    Note: The To date cannot exceed the current date.
  5. Select Run report.
    The Report information is refreshed.