1. The purpose of this post

I would summarize the pros and cons of the mobile push authencation.

2. What is push authentication?

  • When you register in the website, you link your device with your account mobile_push_authentication_register

  • When you login, just provide your username , no need to provide password, your phone would receive a push notification, then you can click it to approve or decline the login request mobile_push_authentication_login

3. Pros and Cons of the Push Authentication

  • Pros
    • password free, users need not remember the password again
    • out-of-band, the push notification can be sent via different communication channels
    • seamless and user-friendly experience, no app needed, more speedier
    • Low cost and Ease of Administration: No need to buy new devices
    • More Secure
      • no codes
      • need user intervention(click to approve)
      • If phone stolen, the phone’s pin/touchID/faceID protect the push notification
      • Recommended by NIST
  • Cons
    • Only work with services of big companies and limited apps
    • Most push authentication is only the secondary auth method, they can choose to use SMS based OTP, which makes the service vulnerable
    • PA can be compromised,because they are transimited in the clear through push provider(Apple and Google).
    • Users tend to click approve
    • Users Need a smartphone and internet connection