Improve OKTA Location Detection
Hi,
This is really a message for your security / authentication engineers.
When you use Okta PUSH MFA, the popup on my mobile device reads "Did you just try to sign in? near Ashburn, Virginia, United States"
I am not near Ashburn, that's your server location. We use Okta Push at our company and had the same issue. It's a simple fix, tell your engineers to add:
'X-Forwarded-For': <users ip>,
With the user IP address that is sent to Okta, and it should geolocate properly. This is a small, albeit actual security issue with MongoDB, as I cannot safely differentiate between my own login request and a potential account takeover attack. In other words, because the location is not being provided properly, a user can circumvent my MFA by having just my password, and relying on an errant click since I may not realize the push request came from somewhere else.
This is an easy fix for an actual security issue at MongoDB and you should probably elevate. I do consider that your engineers are probably aware of the issue, but I'm uncertain why they haven't fixed it :)
Nigel
shared this idea
Thank you for your kind feedback. This issue has been fixed and Okta Push app should show now show the correct location. Thank you!