Enterprise organizations face constant authentication challenges managing teams accessing system resources from anywhere, at any time. Mobile devices offer new solutions to address this problem.
Push authentication uses a mobile device and authentication service to send authentication requests via mobile push notifications.
Multi-factor and out-of-band authentication
Push authentication is a component of MFA architectures using out-of-band authentication (OOBA) to verify a user's identity with high confidence.
Multi-factor authentication requires users to provide at least two forms of credentials across different verification categories:
Knowledge: A username/password combination or PIN.
Ownership: A One-Time Password (OTP) or token acquired through SMS, email, or an authentication device.
Inherence: Proof of identity through biological or physiological factors like fingerprints, facial scans, or iris scans.
MFA architecture strength depends on using distinct categories. A robust MFA scheme might require a password and an OTP sent via SMS to verify identity. If a solution uses two of the same factors, it loses strength and usefulness.
The National Institute of Standards and Technology (NIST) maintains Special Publication 800-63, "Digital Identity Guidelines," providing federal agencies and private companies with a framework for secure authentication.
NIST SP 800-63 requires MFA architectures to use out-of-band authentication, in which the channel used to provide the first set of credentials differs from the next one.
If a user enters their password using a web interface and Wi-Fi, OOBA calls for the next step to use different communication means. This can include device-based authentication, biometric scans, or other methods.
Mobile devices serve as one channel for out-of-band authentication. Users can receive texts and emails to a phone the same as a computer, but these methods have security limitations.
iPhone users might use SMS OTPs as their second authentication factor, which can open them up to theft if someone else has access to a connected Mac computer also receiving those same SMS texts.
How push authentication works
Push authentication addresses this problem using a secure authentication server to field login requests. When the user enters a password or PIN:
The server sends a push notification to the user's mobile device, tied to their phone number. This notification, or "challenge," is signed with a private key.
The notification comes from an associated app on the phone using public-key encryption. The challenge, signed with a private key, is verified with a public key associated with the app and phone.
Once the user receives the notification, they can approve or deny it. Since the challenge has been verified, the user may tap the verification to authorize, eliminating the need to transfer OTPs or tokens across public Internet connections.
The authenticated challenge is sent to the server, and the user may access their system account and resources.
Advantages and challenges of push authentication
Push notifications and authentication mechanisms provide several infrastructure advantages due to features and capabilities that always-on mobile devices support.
Registration and authentication: Authentication requests processed through a push notification system go through a registered account within that authentication system, providing additional security layers outside SMS or email authentication.
Security: Fewer attack surfaces exist because the authentication challenge doesn't move through open SMS or email. The user must have the phone to authenticate using push notifications.
Convenience: Push authentication is a single-push solution. The user gets a notification, taps it to approve, and receives authentication.
Passwordless authentication: Push authentication can serve as a primary form of authentication where users don't enter passwords manually. Like biometric authentication, a passwordless system can rely on push authentication where users accessing system resources tap a notification from their authentication app.
Complex credentials: Passwordless systems with push notifications can include arbitrarily long and complex passwords for additional security. Users don't need to remember the password as long as they have a mobile device.
Compromised account alerts: If a hacker tries to use a password to access an account, the user gets an alert via push and can shut down the login attempt. Immediate password updates can mitigate the threat within 5 minutes.
Push authentication has some challenges:
Internet connections: Users must have an active wireless or mobile connection to leverage push authentication. In modern always-on internet connectivity environments, this rarely creates issues, but can present problems if users don't want to connect their phone to unknown Wi-Fi networks.
Lack of attention: If users receive several notifications in rapid succession and don't spend much time looking at their notifications, they may approve unauthorized logins without knowing what they're doing.
Where push authentication is used
Mobile devices capable of receiving push notifications are ubiquitous. Implementing this technology requires a provider that can offer the underlying authentication infrastructure, including authentication servers and mobile communication capabilities.
In the consumer and enterprise space, larger service providers like Google and Microsoft offer push notification tools for their cloud services. These solutions are somewhat limited, requiring companies to use that suite of services.
Enterprise solutions can be tailored to a company's specific needs but require a management provider to maintain the technology, ensure it remains secure and updated, and handle ongoing operations.
Nearly any company could benefit from push authentication. Enterprises that rely on users interfacing with each other via phones or tablets, especially in distributed, remote work environments, see particular advantages.
Secure push authentication with 1Kosmos
1Kosmos combines passwordless authentication with blockchain-driven identity management, offering distributed ID management, mobile-first user experiences, and compliant infrastructures that ease employee access without sacrificing authentication.
Identity-based authentication: 1Kosmos uses biometrics to identify individuals through credential triangulation and identity verification.
Cloud-native architecture: Flexible and scalable cloud architecture makes it simple to build applications using standard API and SDK.
Identity proofing: 1Kosmos verifies identity anywhere, anytime and on any device with over 99% accuracy.
Privacy by design: 1Kosmos protects personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
Private and permissioned blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
Interoperability: 1Kosmos can readily integrate with existing infrastructure through 50+ out-of-the-box integrations or via API/SDK.
Enter our orbit.
