• push notification authentication

How push notifications can revolutionize your authentication security

The many horror stories that regularly surface on the web make it certain beyond the shadow of a doubt that plain passwords are a cumbersome and bad security practice. A recent survey by Secret Double Octopus found that the outstanding majority of corporate employees are eyeing password-free technologies as their preferred method of authentication, both from a security and an ease-of-use perspective.

Among the most prominent password-free authentication methods are mobile push notifications. Several big tech companies have already provided push notification authentication alternatives for their consumer-facing products. But the bigger corporate industry was still lacking reliable push notification authentication solutions—until recently.

What are the advantages of push notification authentication?

Push notification authentication validates login attempts by sending access requests to an associated mobile device. When you register your account, you link it to a mobile device you own. Afterward, whenever you try to log in to your account, you submit your username or ID. Instead of entering your password, you receive an access request notification on your smartphone, which you can approve or decline.

There are several benefits to push notification authentication. The obvious advantage is that users won’t need to memorize and manage passwords. Additionally, notifications provide a seamless and user-friendly experience. Instead of fumbling with their phone to find and open an authenticator app, users can immediately validate their login by having the authentication request come to them. Validating an authentication request is often speedier than entering a complex password.

Google provides a push notification authentication option for its suite of online services and applications such as Gmail, Google Drive, Docs, Calendar, etc. Microsoft has also rolled out a similar service for its Outlook.com services. The setup for both services is easy and users can get started in a matter of minutes.

However, the problem with these solutions is that they only work with the services of their respective companies and limited applications that integrate with their services. This makes them unavailable to organizations that use enterprise-level and proprietary solutions. Moreover, most of these push notification technologies are offered as secondary authentication methods, and they have workarounds such as SMS and authenticator app one-time passcodes (OTPs) which make them vulnerable to crafty hackers.

Just like SMS, Push notifications in and of themselves are not a security feature.  Messages travel in the clear through the push provider (Apple and Google) and we have seen Push services compromised in the wild.

The Secret Double Octopus enterprise push notification authentication

For all these reasons, Push Notification is expected to be the fastest growing authentication factor in the workspace. According to Gartner, 50% of enterprises using mobile authentication will by 2020 adopt OOB mobile push as a mainstay of authentication, compared to just the 10% who are using it today.

Secret Double Octopus has developed an enterprise-grade security solution providing flexible, secure and easy-to-use push notification authentication for various applications. Secret Double Octopus succeeds where COTS solutions fail by removing bottlenecks and vulnerabilities that hackers can exploit.

To address the security limitations of Push, Secret Double Octopus has introduced a unique approach of multi route authentication.  Based on the quantum-safe secret sharing scheme, this patent-pending technology prevents a single point of failure for the user identity.

The solution comes with an authentication server application that can be integrated into any application, including large enterprise platforms such as Microsoft Active Directory. Every time a login attempt is made on an employee account, an access request notification is sent to the employee’s mobile device.

Secret Double Octopus neither stores nor exchanges secrets, making it immune to man in the middle attacks. The Octopus Authenticator uses multi-channel security and secret sharing to avoid exposing any single point of failure to hackers. Moreover, it integrates with biometric authentication technology already present on mobile devices for good measure.

Compare different authentication methods

By |January 23rd, 2018|Categories: Articles|Tags: , |

About the Author:

Shimrit holds an MSc and Ph.D. from the Hebrew University in Computer Science. Her research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems. During her Ph.D., Shimrit was a consultant for Check Point and Marvell Semiconductor and designed an intrusion detection system product there.