Home Settings What do the 'Action' values mean (e.g., New device, Recognized device, Incorrect password, MFA failed)?

What do the 'Action' values mean (e.g., New device, Recognized device, Incorrect password, MFA failed)?

Last updated on Mar 12, 2026

Short Answer: The Action column summarizes the result of a sign-in attempt. Device-related entries describe device recognition, while Incorrect password and MFA failed indicate authentication failures.

Answer

PreRequisites

  1. Open Settings → Security → Access logs.

Steps

  1. Open Settings, then click Security and select the Access logs tab.
    The Access logs table appears with columns including Date, User, Action, IP address, and Location.

  2. Locate the Action column in the table.
    Each row displays a label describing the authentication event.

  3. Interpret the action labels:

    • New device
      Indicates the user signed in from a device or browser not previously recognized by the system.

    • Recognized device
      Indicates the user signed in from a device previously used and recognized by the system.

    • Incorrect password
      Indicates a failed login attempt due to an incorrect password.

    • MFA failed
      Indicates the multi-factor authentication step failed, meaning the second authentication factor was invalid or not verified.
      These labels provide a quick summary of the sign-in outcome.

  4. If any entry appears unexpected or suspicious (such as repeated failures or unknown devices), notify your administrator or security team.
    They can investigate further if necessary.

Troubleshooting

  1. You see many "Incorrect password" entries for the same user.

    Likely Cause:

    • The user is entering the wrong password.

    • A password manager has outdated credentials.

    • Automated login attempts may be occurring.

    Action:
    Ask the user to verify their credentials, update saved passwords, and contact the administrator if suspicious attempts continue.

  2. Multiple "New device" entries appear for one user in a short period.

    Likely Cause:

    • The user is signing in from multiple devices or browsers.

    • Cookies or device identifiers were cleared, making the system treat the device as new.

    Action:
    Confirm with the user which devices they used. If the activity seems unusual, escalate to your security contact.

Note: The Action labels are shown exactly as text in the Access logs table and act as a high-level summary of authentication events.