A Push Token is an advanced technology for an easy-to-use and secure multifactor authentication (MFA): When a user tries to access protected content or initiates a transaction, a push notification is sent to the users registered mobile device, for instance a smartphone.
After receiving the mobile push notification, the user verifies or rejects the transaction or login, based on the encrypted data sent. The cryptographic confirmation is then directly transmitted to the defined endpoint. No input about the transaction or login is required from the user, and all communication and signing of the authentication is transparent to the involved parties. In the background, the cryptographic design of solutions like the KeyIdentity MFA platform ensure that the entire process is secure against attacks along the mobile connection. Moreover, the user does not have to type in long passcodes, which is quite time-consuming and error-prone.
Where do I use a Push Token?
Push tokens are a perfect fit for guaranteeing a four-eyes principle in environments, when crucial or exceptionally high-value transactions, critical logins or access to sensitive data have to be confirmed. Take the application scenario of investment banking for example: When the transaction exceeds a defined amount, it has to be additionally authorized by two line managers or responsible compliance personnel.
Another advantage of push tokens is their improved usability for N-of-M scenarios where N of M users – for instance four of seven responsible persons – have to authorize a transaction, login, data access or change of data. Without push authentication, this would be a more complex scenario. If an engineer for example issues the order to turn off the cooling of a nuclear power station, the IT system of the power plant sends out a push notification to other responsible persons who were defined to provide their authorization. Only when a specified number of them has confirmed the order, it is executed.
In its 2017 Planning Guide for Identity and Access Management, Gartner says that “Organizations should take advantage of the mobile-push-based multi-factor authentication at the expense of other out-of-band modes …”. Why is Gartner such a big fan of push authentication? Compared to other token types like SMS, software or hardware tokens, it offers significantly higher usability with a one touch authentication while retaining the advanced security features of modern transaction security at significantly reduced costs and faster time to value. According to Gartner, the total cost of ownership (TCO) of mobile push solutions can be up to 70 percent lower than that of other MFA solutions. And with the help of modern MFA solutions like LinOTP and the KeyIdentity MFA platform push tokens can quickly and easily be implemented into existing IT environments.
It can’t get any easier than that
A (mobile) push token pretty much comes close to an ideal authentication method. Their biggest benefit is their ease of use and their great TCO combined with a high level of security. For the next years, we expect further improvements in those areas, which will also be boosted by developments in mobile devices technology. And we see that existing SMS and hardware-based authentication mechanisms will be replaced by push token technology over time.
If you want to find out more about token technology and multi-factor authentication check out our last blog entry “How to pick the right token”. There you can find a more extended overview on the latest status of token technologies for multi-factor authentication.