Skip to main content

Hardening against push notification attacks

Push-notification-based passwordless authentication is supported for integrations such as with Bravura OneAuth and Microsoft Authenticator.

A common approach that an attacker could potentially take to abuse passwordless authentication could be to send a significant number of push notifications to a user's mobile device. A user could then potentially give up when receiving many of these push notifications to their mobile device, and then simply approve the notification or accidentally push the approve button.

One of the methods that protects against this type of attack is remembering a browser fingerprint for users. If the browser fingerprint matches, then Bravura Security Fabric does not prompt for a password and simply uses the push notification approach for the user. If the fingerprint doesn't match, then Bravura Security Fabric will first ask for the user's password for authentication.

This can reduce password prompts for most users to 1% of what they would otherwise experience.

The Scenario.hid_authchain_oneauth_2factor and Scenario.hid_authchain_oneauth components may be installed and configured for this use case. Authentication chains and a Bravura OneAuth target are set up for the multi-authentication factor authentication and the fingerprint configuration.

This can be implemented by the following:

  • Install the following components:

    • Scenario.hid_authchain_oneauth_2factor

    • Scenario.hid_authchain_oneauth

  • This adds a Bravura OneAuth target that has a "HYPR" target id.

    • Complete the target address parameters and target credentials for this target.

  • Authentication chains are also added and configured for fingerprint as well as Bravura OneAuth multi-factor authentication.

Ensure the following:

  • There is at least one other target previously configured for a source of profiles.

  • A user has accounts on both the source of profile target as well as the Bravura OneAuth target.

When a user logs in:

  1. The user chooses the password authentication method and enters a password.

  2. If the password is entered correctly, the user is prompted for the Bravura OneAuth authentication.

  3. The user authenticates from their mobile device for Bravura OneAuth; authentication is then successful to access self-service.

  4. The user logs out of self-service and logs back in.

  5. The browser fingerprint is remembered and the user is now only prompted for Bravura OneAuth authentication.

In this section: