Newsroom

SecureAuth Launches New Capability Reducing Exploits for Mobile-Based Authentication

Author: 
SecureAuth
 
SecureAuth Launches New Capability Reducing Exploits for Mobile Multi-Factor Authentication

User-friendly Symbol-to-Accept mobile authentication solution provides same great user experience as Push-to-Accept, but is more secure.

 

IRVINE, Calif. – Nov. 30, 2016 – SecureAuth Corporation, the leader in adaptive access control, today announced the launch of Symbol-to-Accept, a patent pending mobile multi-factor authentication approach that improves security without compromising the convenience of the popular push-to-accept method. Expanding on the convenience of Push-to-Accept, Symbol-to-Accept increases security by reducing the risk of users routinely pressing ‘’Accept’ even if they did not initiate the authentication attempt themselves. While use of Push-to-Accept has exploded due to its simplicity and speed, it exposes enterprises to risk that users may inadvertently approve login requests that they did not initiate. This could allow an attacker to bypass the intended protection of multi-factor authentication and breach the user’s account.

Symbol-to-Accept however, enables security-conscious enterprises to deploy mobile push authentication with confidence that this risk is mitigated. Preserving the user convenience, with Symbol-to-Accept, the user is presented a small number of “accept” buttons displaying single, randomly-selected symbols (such as letters). To successfully log in, the user selects the correct symbol that matches one displayed on their computer’s login screen. This choice dramatically reduces the likelihood that the user will approve an unsolicited login request because they will not know which button to choose if they are not currently trying to log in.

Weaknesses of Push-to-Accept

With traditional Push-to-Accept methods, users that routinely press “accept” for authentication sequences may reflexively approve an unsolicited login request as a way to clear the notification from their mobile device screen. Unfortunately, this may grant an attacker access without the user ever becoming aware that their user identity has been stolen. Symbol-to-Accept avoids this conditioning, in which users automatically press “accept” out of habit, even if they did not initiate the authentication attempt themselves.

“Push-to-Accept is arguably one of the most convenient forms of multi-factor authentication,” said Keith Graham, CTO at SecureAuth. “Unfortunately, while traditional Push-to-Accept authentication provides a great user experience, it is prone to exploit by attackers, who may bombard the user with Push-to-Accept requests – to the point where the user will eventually hit ‘accept’ to make the requests go away. And for cybercriminals, it’s a numbers game – bombard as many users with requests as necessary until the desired outcome is achieved.”

Balancing Security and User Experience

Maintaining a convenient user experience is a top concern for IT decision makers when implementing authentication solutions. According to a recent SecureAuth survey, 42 percent of respondents cited disruption to users’ daily routine as a hindrance for not adopting an improved authentication strategy. Symbol-to-Accept provides users with the same convenience of push-to-accept authentication; however, Symbol-to-Accept increases security by requiring the user to take an additional cognitive step of selecting the symbol displayed on their mobile device that corresponds to the symbol displayed on screen in their web browser.

"To satisfy today’s changing enterprise landscape, it’s essential for security solutions to evolve at the pace of new emerging threats as well as meeting practical organizational needs,” said Graham. “Some organizations are already moving to stronger methods of user authentication, including adaptive access control techniques safeguarding critical areas such as Single Sign-On (SSO) portals and self-service password reset applications. It is imperative that more organizations take this lead and look to implement adaptive access in a way that, in addition to Symbol-to-Accept, performs risk-analysis as part of the authentication process. Adaptive techniques such as device recognition, geo-location, the use of threat services, and even behavioral biometrics, enables organizations to take control of their authentication process without compromising user experience.”

About SecureAuth

SecureAuth is the leader in adaptive access control solutions, empowering organizations to determine identities with confidence. SecureAuth provides strong identity security while minimizing disruptions to the end-user. SecureAuth has been providing SSO and MFA solutions for over a decade. For the latest insights on adaptive access control, follow the SecureAuth blog, follow @SecureAuth on Twitter and on LinkedIn, or Contact Us to get started today.

SecureAuth® IdP is a registered trademark of SecureAuth Corporation in the United States and/or other countries.