MFA Inventory: How to Audit and Track Users' Multi-Factor Authentication Methods

Leveraging Okta MFA Enrollment Reports

What to capture

In Okta, build your MFA inventory from two sources: the MFA enrollment/usage report for who is registered and active, and the System Log for detailed MFA audit logs (enrollment, prompts, approvals). Together, they reveal which authenticators users registered, when they last used a second factor authentication, and gaps to remediate. ([help.okta.com](https://help.okta.com/oie/en-us/content/topics/reports/mfa-usage-report.htm))

How to generate the report

• In the Admin Console, go to Reports → Multifactor Authentication → MFA Usage, request the report, and download the CSV. It lists each user’s enrolled authenticator(s) and last-used timestamps, enabling quick MFA coverage analysis. ([help.okta.com](https://help.okta.com/oie/en-us/content/topics/reports/mfa-usage-report.htm))
• Augment with System Log searches or API queries to track enrollment and verification events across methods (for example, push, TOTP, passkeys). Use event-type filters to isolate MFA-related activity and enrollment flows. ([developer.okta.com](https://developer.okta.com/docs/reference/api/event-types/))

Operational tips

• Normalize factor names (for example, Okta Verify Push vs. TOTP) and map them to acceptable methods in policy.
• Trend “last used” by factor to find stale enrollments and clean up dormant or duplicate registrations.
• Integrate these outputs into identity service monitoring so alerts fire when MFA enrollment or usage falls below target. ([help.okta.com](https://help.okta.com/oie/en-us/content/topics/reports/mfa-usage-report.htm))

Utilizing Snowflake MFA Methods Command

Inventory via SQL

Snowflake exposes a purpose-built command—SHOW MFA METHODS—to enumerate each user’s second factor authentication methods. You can run it per user or for the current user; output includes method type (PASSKEY, TOTP, DUO), names, and timestamps (created_on, last_used). This is ideal for precise, auditable listings. ([docs.snowflake.com](https://docs.snowflake.com/en/sql-reference/sql/show-mfa-methods))

USE ROLE ACCOUNTADMIN;
SHOW MFA METHODS FOR USER <username>;

Account-wide view

For scalable reporting, query SNOWFLAKE.ACCOUNT_USAGE.CREDENTIALS where DOMAIN = 'MFA_METHOD' to list enrolled PASSKEY/TOTP methods across all users (note that DUO isn’t included in this view; use SHOW MFA METHODS to supplement). Join to ACCOUNT_USAGE.USERS to add roles or status for a complete MFA inventory. ([docs.snowflake.cn](https://docs.snowflake.cn/en/sql-reference/account-usage/credentials))

Governance pointers

• Track last_used to detect unused registrations and nudge users toward stronger methods (for example, passkeys) as policy evolves. ([docs.snowflake.com](https://docs.snowflake.com/en/sql-reference/sql/show-mfa-methods))
• Store scheduled exports for change history and MFA audit logs alongside other platform telemetry. ([docs.snowflake.cn](https://docs.snowflake.cn/en/sql-reference/account-usage/credentials))

Configuring AWS IAM MFA Devices

Inventory and configuration

Build your AWS MFA inventory with two core tools: the IAM credential report (mfa_active column) for a tenant-wide snapshot, and per-user device listings for MFA device registration details. Together they verify who must register, who has devices, and which methods are in use. ([docs.aws.amazon.com](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html?utm_source=openai))

# Organization-wide snapshot
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d