The Secret Security Wiki

Categories
Categories

Push Notification Authentication

Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button.

Notifications can be sent in-band or out-of-band, using any number of communications channels.

Push notifications authenticate the user by confirming that the device registered with the authentication system – typically a mobile device – is in fact in the user’s possession. If the device is compromised by an attacker, then push notifications are compromised.

Passwordless MFA ROI Calculator:

Find your ROI from adopting Passwordless Authentication

Try Now

Authentication based on push notifications is gaining popularity because it provides a simple means to authenticate users, especially if used without passwords.

What are the advantages of push notification authentication?

Push notification authentication validates login attempts by sending access requests to an associated mobile device. When you register your account, you link it to a mobile device you own. Afterward, whenever you try to log in to your account, you submit your username or ID. Instead of entering your password, you receive an access request notification on your smartphone, which you can approve or decline.

There are several benefits to push notification authentication. The obvious advantage is that users won’t need to memorize and manage passwords. Additionally, notifications provide a seamless and user-friendly experience. Instead of fumbling with their phone to find and open an authenticator app, users can immediately validate their login by having the authentication request come to them. Validating an authentication request is often speedier than entering a complex password.

Google provides a push notification authentication option for its suite of online services and applications such as Gmail, Google Drive, Docs, Calendar, etc. Microsoft has also rolled out a similar service for its Outlook.com services. The setup for both services is easy and users can get started in a matter of minutes.

However, the problem with these solutions is that they only work with the services of their respective companies and limited applications that integrate with their services. This makes them unavailable to organizations that use enterprise-level and proprietary solutions. Moreover, most of these push notification technologies are offered as secondary authentication methods, and they have workarounds such as SMS and authenticator app one-time passcodes (OTPs) which make them vulnerable to crafty hackers.

Just like SMS, Push notifications in and of themselves are not a security feature.  Messages travel in the clear through the push provider (Apple and Google) and we have seen Push services compromised in the wild.