What Is Push Authentication (2FA)?

Javed Shah

Authentication is a constant challenge for enterprise organizations managing teams accessing system resources from anywhere, at any time. New technologies are leveraging mobile devices to address this challenge.

What is push authentication? Push authentication uses a mobile device and authentication service to send authentication requests via mobile push notifications.

Multi-Factor and Out-of-Band Authentication

Push authentication is a component of MFA architectures using out-of-band authentication (OOBA) to verify a user’s identity with high confidence.

As discussed in this blog, multi-factor authentication is an approach to identity verification that requires users to provide at least two forms of credentials across different verification categories. These categories generally include:

  • Knowledge: A username/password combination or PIN.
  • Ownership: A One-Time Password (OTP) or token acquired through SMS, email, or an authentication device.
  • Inherence: Proof of identity through biological or physiological factors like fingerprints, facial scans, or iris scans.

The strength of an MFA architecture depends on its use of distinct categories. For example, a robust MFA scheme might call for a password, and an OTP sent via SMS to verify identity. If a solution uses two of the same factors, it loses its strength and usefulness.

MFA is such an essential part of cybersecurity that the National Institute of Standards and Technology (NIST) maintains Special Publication 800-63, “Digital Identity Guidelines,” to provide federal agencies and private companies with a framework for secure authentication.

On top of its description of appropriate MFA factors, NIST SP 800-63 requires that MFA architectures use out-of-band authentication, in which the channel used to provide the first set of credentials is distinct from the next one.

For example, if a user enters their password using a web interface and Wi-Fi, OOBA calls for the next step to use different communication means. This can mean device-based authentication, biometric scans, etc.

One of these proper channels is a mobile device, which makes some sense–a user can receive texts and emails to a phone the same as a computer. However, these methods aren’t entirely secure.

For instance, iPhone users might use SMS OTPs as their second authentication factor, which can open them up to theft if someone else has access to a connected Mac computer also receiving those same SMS texts.

How Does Push Authentication Work?

Push authentication addresses this problem. The push authentication system uses a secure authentication server to field login requests. When the user enters a password or PIN,

  1. The server will send a push notification to the user’s mobile device, tied to their phone number. This notification, or the “challenge,” will be signed with a private key.
  2. The notification will come from an associated app on the phone using public-ley encryption. The challenge, signed with a private key, will be verified with a public key associated with the app and phone.
  3. Once the user receives the notification, they can approve or deny it. Since the challenge has been verified, the user may tap the verification to authorize, eliminating the need to transfer OTPs or tokens across public Internet connections.
  4. The authenticated challenge is sent to the server, and the user may access their system account and resources.

What Are the Advantages and Challenges of Push Authentication?

Because of the mechanisms involved with push notifications and authentication, implementing the technology will provide several advantages to your infrastructure. These benefits come in no small part due to the features and capabilities that always-on mobile devices may support.

Some advantages of push authentication include:

  • Registration and Authentication: Authentication requests processed through a push notification system will do so through a registered account within that authentication system. This provides additional layers of security outside of SMS or email authentication.
  • Security: Fewer attack surfaces exist because the authentication challenge isn’t moving through open SMS or email. The user must have the phone to authenticate using push notifications.
  • Convenience: Push authentication is a single-push solution. The user gets a notification, tap it to approve, and they are authenticated.
  • Passwordless Authentication: Push authentication is a form of MFA, but it can serve as a primary form of authentication in which the user doesn’t have to enter passwords manually. Like biometric authentication, a passwordless system can rely on push authentication such that a user accessing system resources has to tap a notification from their authentication app.
  • Complex Credentials: If using a passwordless system with push notifications, you can include arbitrarily long and complex passwords for additional security. Not having to remember the password so long as you have a mobile device, the user can rely on best security practices.
  • Compromised Account Alerts: If a hacker tries to use a password to access your account, you can get an alert via a push and shutdown the login attempt. You can mitigate the threat within 5 minutes with an immediate password update.

As with any technology, however, some challenges come with push authentication:

  • Internet Connections: To leverage push authentication, the user must have an active wireless or mobile connection. In our modern world of always-on internet connectivity, this isn’t that much of a deal, but it can present issues if a user doesn’t want to connect their phone to unknown Wi-Fi networks.
  • Lack of Attention: if the user receives several notifications in rapid succession (and doesn’t spend much time looking at their notifications), they may approve unauthorized logins without knowing what they are doing.

Where Is Push Authentication Used?

The ubiquity of mobile devices capable of receiving push notifications makes this technology a seeming slam-dunk. However, it’s important to note that implementing this technology requires a provider that can offer the underlying authentication infrastructure (including authentication, mobile communication capabilities, etc.).

In the consumer and enterprise space, larger service providers like Google and Microsoft may offer push notification tools for their cloud services. However, these solutions are somewhat limited, requiring the company to use that suite of services.

Likewise, enterprise solutions can be tailored to a company’s specific needs. Still, they will require a management provider to maintain the technology, ensure it remains secure and updated, and so on.

That being said, nearly any company could benefit from a push authentication system. Enterprises that rely on users interfacing with each other via phones or tablets, especially in a distributed, remote work environment.

Take Advantage of Secure Push Authentication with 1Kosmos

Push is a powerful tool in your cybersecurity toolbox that, alongside modern technologies like distributed ID management, mobile-first user experiences, and compliant infrastructures, eases employee access without sacrificing authentication.

1Kosmos is pushing authentication into the future, eschewing the old password systems for modern, secure identity systems that combine passwordless authentication with blockchain-driven identity management.

With 1Kosmos, you get the following features:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

If you’re ready to learn about BlockID and how it can help you remain compliant and secure, learn more about what it takes to Go Beyond Passwordless Solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.