New Methods Could Improve Security Of Two-Factor Authentication Systems


When utilized as second-factor authentication, push notifications work as an additional layer of security to protect users’ online accounts from attackers.

Getty Images


As an extra layer of security, several online services have adopted push notification-based two-factor authentication systems, whereby users must approve login attempts through a mobile device. In current authentication systems, especially the “tap to approve” approach, there is no explicit link that indicates correspondence between the user’s browser session and the notification they receive on their device. This vulnerability can be exploited by an attacker.

To address this issue, a team of researchers that includes Nitesh Saxena, professor in the Department of Computer Science and Engineering at Texas A&M University, has designed new, easy-to-use methods to counter the vulnerabilities in push notification-based two-factor authentication systems.

“The mechanisms we designed have a similar usability to the original push notification-based authentication method, but they improve security against concurrent login attacks,” said Saxena. “If a user receives two notifications, the notification that corresponds to the browser’s session of the attacker will differ. Therefore, the user should be able to detect that something is amiss and not accept the wrong notification.”

The team’s paper describing the research was published in the proceedings from the 2021 Institute of Electrical and Electronics Engineers’ European Symposium on Security and Privacy (EuroS&P), one of the premier venues for cutting-edge cybersecurity research.

Push notifications are clickable pop-up messages sent directly to a user’s mobile or desktop device via an installed application. They can appear at any time and show various things such as the weather, breaking news, missed calls or text messages, reminders, etc.

They can also be utilized as second-factor authentication (or password-less authentication), which works as an additional layer of security to protect users’ online accounts from attackers. With push notification authentication, a push notification is sent directly to a mobile device —…