Detection: MFA Factor Removed

Overview

Detect when a registered multi-factor authentication (MFA) factor (such as a TOTP app, SMS number, or hardware security key) is removed from a GitHub account. While this may occur during account updates or device changes, it can also indicate that an attacker is weakening account protections to maintain persistent access. Monitoring these events helps detect suspicious changes to MFA settings and protect account security.

References:

Configuring two-factor authentication

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.mfa_method_removed

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.mfa_method_removed --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_security_log
where
  action in ('two_factor_authentication.remove_factor')
order by
  tp_timestamp desc;

Detection: MFA Factor Removed

Overview

Usage

SQL

Tags