MFA authentication event payload
This payload is an authentication event payload with a data.subtype of MFA. The event attribute names for Multi-Factor Authentication (MFA) are described in the following table.
MFA event attributes
The following table lists the attributes contained in the V2 MFA Event.
| Name | Data type | Description |
|---|---|---|
| data.action | String | example: login |
| data.cause | String | example: Authentication Successful |
| data.devicetype | String | Browser user agent |
| data.host | String | Hostname of microservice instance that generated the event |
| data.mfaresult | String | The result of an IBM Verify factor push. |
| data.origin | String | IP address of system that caused event to be generated |
| data.realm | String |
Identity source of user. Examples: Cloud Directory: CloudIdentityRealm, IBMid: www.ibm.com SAML Enterprise: AzureRealm LDAP pass-through: www.cloudsecurity.com OIDC: www.yahoo.com |
| data.result | String | Success or failure |
| data.sourceinstance | String | Source instance used for authentication: Azure |
| data.sourcetype | String | Identity source type used for authentication: cloud directory, certificate, Kerberos, OIDC, pass-through, SAML - not needed for MFA events. |
| data.subject | String | Verify user ID that caused event to be generated. |
| data.subtype | String | MFA: Second factor used for authentication |
| data.target | String | Secondary resource that might be applicable |
| data.username | String | Unique identifier for logging in to Verify. It can be the same as the email address of the user. |
| geoip.city_name geoio.continent_name geoip.country_iso_code geoip.country_name geoip.location geoip.region_name |
String | Augmented by Event service by using data.origin. |
| data.deviceid data.mdmiscompliant data.mdmismanaged data.billingid |
String | Android or IPhone device true or false true or false |
| data.providerid data.samlassertion |
String | Identifies the SAML partner - only for failure events |
| data.mfamethod data.mfadevice |
String |
data.mfamethod - MFA factor used:
|
Example
The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.
{
"geoip": {
"continent_name": "North America",
"as_org": "ATT-INTERNET4",
"city_name": "Austin",
"country_iso_code": "USA",
"ip": "1111:1111:a111:1111:a111:aa1:1aaa:1111",
"country_name": "United States",
"region_name": "Texas",
"location": {
"lon": "-97.7467",
"lat": "30.2627"
},
"asn": 7018
},
"data": {
"result": "success",
"mfamethod": "Voice OTP",
"subtype": "mfa",
"subject": "503R3T76MX",
"origin": "1111:1111:a111:1111:a111:aa1:1aaa:1111",
"realm": "cloudIdentityRealm",
"sourcetype": "clouddirectory",
"mfadevice": "22222222222",
"devicetype": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0",
"username": "bbbbbbb",
"target": "https://tenant name.ite1.idng.ibmcloudsecurity.com/saml/sps/auth?stateid=e9ebf986-f8dd-48ce-84cc-490bfda6ee5b"
},
"year": 2023,
"event_type": "authentication",
"month": 7,
"indexed_at": 1689692204022,
"tenantid": "3ccc333c3-3c33-3c33-c3c3-333c33ccc3c3",
"tenantname": "tenant name.ite1.idng.ibmcloudsecurity.com",
"correlationid": "CORR_ID-DD4d24ddd44-ddd4-4444-444-d444ddd4dd4",
"servicename": "authsvc",
"id": "e5555555-555e-55ee-5555-5ee5e5e555e5",
"time": 1689692191331,
"day": 18
}