What’s a Secure Mobile Authentication?
The most recent Verizon data breach report suggested that 63% of breaches could be attributed to stolen credentials. Two-factor authentication helps organizations minimize this risk, but not all two-factor solutions are created equal. There are two important considerations you should look for in any two-factor authentication solution.
First, with the ubiquity of smartphones, soft token one-time password (OTP) has become a popular authentication factor. While OTP can be used as a second factor, it can be easily compromised by attackers, who hijack or insert themselves between a client and server communication. This type of attack, commonly referred to as man-in-the-middle, gives an attacker visibility into all network and application traffic including an OTP. When attackers see an OTP, they can replay it back into the application to get access.
Duo Push sends a push notification to your phone, delivering a secondary form of authentication. Users sign in using their primary credentials, and Duo Push is sent to the user’s phone, eliminating the risk of a man-in-the-middle attack. Admins can also use Duo’s policy and control framework to enforce Duo Push as the second factor for authentication for any application.
While end-users can use their personal smartphones for authentication, admins should ensure mobile devices are not jailbroken or rooted and out-of-date. A jailbroken or rooted device provides kernel-level access to applications. Attackers can get access to jailbroken or rooted devices by enticing the user to download a malicious application and execute unauthorized functions, such as approving push notifications without a user’s knowledge.
With Duo’s policy and control framework, administrators can also prevent users from using outdated and vulnerable operating systems, plugins, and browsers to log in to sensitive resources.
Plus, Duo Push is simple for end-users, and it saves organizations the expense of purchasing, rolling out and servicing tokens for end-users.