Code Room
On-callMediumoc-g139
Subject Suspicious accessLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

An IdP (Okta) alert fires: a senior engineer's account authenticated successfully from their usual office IP at 14:02, then again at 14:11 from a residential IP in another country — impossible travel. Both sessions are active. The second session immediately accessed the admin console and created a new API token with broad scopes. The engineer says they're at their desk and did NOT log in from abroad. MFA shows as 'satisfied' for the second login. How do you triage, contain, and figure out how MFA was bypassed?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.