How to tell if first login with token being issued - don't want failed MFA attempts

We are trying to tag users the first time they login successfully with social and a token is issued, but we can’t figure out a good way to identify them.

We can’t use logins_count, because (from what we can tell) this number increases every time a successful username/password combo is entered, and not necessarily when a token is issued.
(For example, someone might enter a successful username/password combo but fail MFA 3 times, and their logins_count is 3)

Is there anything else (or combo of things) on the event/api we can use?

Our last resort would be calling the API to update the user’s account after we receive a “gd_auth_succeed” event, because that event does seem to wait until the token is issued, but that smells - seems like a lot more architecture/infrastructure than should be necessary for identifying something so basic.

Use Case: We want to force MFA on social logins the first time they use it if their social email matches one in a database account, but skip it otherwise.