Push Notification Authentication (Push Authentication)
Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button.
Notifications can be sent in-band or out-of-band, using any number of communications channels.
Push notifications authenticate the user by confirming that the device registered with the authentication system – typically a mobile device – is in fact in the user’s possession. If the device is compromised by an attacker, then push notifications are compromised.
Authentication based on push notifications is gaining popularity because it provides a simple means to authenticate users, especially if used without passwords.
What are the advantages of push notification authentication?
Push notification authentication validates login attempts by sending access requests to an associated mobile device. When you register your account, you link it to a mobile device you own. Afterward, whenever you try to log in to your account, you submit your username or ID. Instead of entering your password, you receive an access request notification on your smartphone, which you can approve or decline.
There are several benefits to push notification authentication. The obvious advantage is that users won’t need to memorize and manage passwords. Additionally, notifications provide a seamless and user-friendly experience. Instead of fumbling with their phone to find and open an authenticator app, users can immediately validate their login by having the authentication request come to them. Validating an authentication request is often speedier than entering a complex password.
Google provides a push notification authentication option for its suite of online services and applications such as Gmail, Google Drive, Docs, Calendar, etc. Microsoft has also rolled out a similar service for its Outlook.com services. The setup for both services is easy and users can get started in a matter of minutes.
However, the problem with these solutions is that they only work with the services of their respective companies and limited applications that integrate with their services. This makes them unavailable to organizations that use enterprise-level and proprietary solutions. Moreover, most of these push notification technologies are offered as secondary authentication methods, and they have workarounds such as SMS and authenticator app one-time passcodes (OTPs) which make them vulnerable to crafty hackers.
Just like SMS, Push notifications in and of themselves are not a security feature. Messages travel in the clear through the push provider (Apple and Google) and we have seen Push services compromised in the wild.
Out of band authentication (OOBA) refers to an authentication process that utilizes a communications channel that is separate from that used by the client and server trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it requires the attacker to compromise two communications channels. An example for OOBA is a customer logging into an online banking website and receiving an authentication code via SMS to his mobile device.
Push authentication is one form of OOBA, though there are multiple other ways to implement OOBA.
The security of push authentication depends on the security of the application receiving the push notification and the device on which it is running. Security therefore varies by implementation and security posture of the host device.
The advantage of push notification is that it leverages the security infrastructure of tech giants (Google, Apple) which are considered the most secured infrastructure in the market
Software OTP codes can be compromised using social engineering techniques. Mobile push requires an attack to gain possession of the mobile device receiving the notification or cause the owner of the device to authorize a fraudulent authentication request in real-time, which is a lot harder to do than stealing OTP codes via phishing and other social engineering techniques.
The US National Institute of Standards and Technology (NIST) updated guidelines state that SMS-based OOB Authentication should be deprecated because of the risk that SMS messages may be intercepted or redirected. Push notifications, when implemented properly, is resistant to interception or redirection, and is therefore more secure than SMS.