Is that really you? New method fixes flaws in two-factor authentication

Shutterstock.com/Thapana Onphalai

As an extra layer of security, several online services have adopted push notification-based two-factor authentication systems, whereby users must approve login attempts through a mobile device. In current authentication systems, especially the “tap to approve” approach, there is no explicit link that indicates correspondence between the user’s browser session and the notification they receive on their device. This vulnerability can be exploited by an attacker.

To address this issue, a team of researchers that includes Nitesh Saxena, professor in the Department of Computer Science & Engineering, has designed new, easy-to-use methods to counter the vulnerabilities in push notification-based two-factor authentication systems.

“The mechanisms we designed have a similar usability to the original push notification-based authentication method, but they improve security against concurrent login attacks,” said Saxena. “If a user receives two notifications, the notification that corresponds to the browser’s session of the attacker will differ. Therefore, the user should be able to detect that something is amiss and not accept the wrong notification.”

The team’s paper describing the research was published in the proceedings from the 2021 Institute of Electrical and Electronics Engineers’ European Symposium on Security and Privacy (EuroS&P), a premier venue in cutting-edge cybersecurity research.

Push notifications are clickable pop-up messages sent directly to a user’s mobile or desktop device via an installed application. They can appear at any time and show various things such as the weather, breaking news, missed calls or text messages, reminders, etc.

They can also be utilized as second-factor authentication (or password-less authentication), which works as an additional layer of security to protect users’ online accounts from attackers. With push notification authentication, a push notification is sent directly to a mobile device—usually a smartphone—registered to an online account, alerting the user that a login attempt is taking place. The user can then review the notification details and either approve or deny the request by tapping a button.

More at the College of Engineering