Get the inside scoop with LoginTC and learn about relevant security news and insights.

LoginTC Product Update: Push Number Matching

September 23, 2022Mercedes Chircop

Here at Cyphercor, our focus is developing the best cybersecurity protection for your company. We believe that all organizations should have access to seamless, user friendly, secure, and well supported multi-factor authentication. We stay on top of cybersecurity trends and make improvements that keep our customers ahead of the cyber criminals.

With that said, we are proud to announce a new way to improve the security of push based authentication: Push Number Matching.

Push number matching offers an additional security layer against push notification fatigue and spamming exploits and further improves the cybersecurity posture of your organization.

Why is Push Authentication Vulnerable?

Multi-Factor Authentication (MFA) is a tool used by humans and must be both easy to use and secure. Rather than having to pick one, we always look for ways to address both aspects at the same time. Typical push-based authentication is convenient for most users, but vulnerable to a variety of cyber attacks. As a reminder, push based authentication is when a push notification is sent to a users smartphone or desktop and the user simply needs to approve the request to authenticate. Although these requests can include information like Country of origin or IP Address, having a single tap to approve button on the request gives users a quick way to approve without reviewing information that may or may not be relevant to them anyway.

Push based authentication can be vulnerable to the following:

  • Push Notification Spamming – Multiple push notifications that annoy a user into accepting a push notification for a fraudulent login.
  • Push Notification Fatigue – Users that constantly use MFA pay less attention to and can accept a push notification login request on demand which again can lead to a fraudulent login.

Informing users of best practices, leveraging advanced geolocation based policies, informative request attributes and using a 4 digit PIN to approve a request can be effective measures, however we have taken things a step further.

Introducing LoginTC Push Number Matching

LoginTC is proud to bring our customers a new push authentication option: Push Number Matching. It enables users to still use the LoginTC app and push based authentication, but asks the user to match a number to what is being displayed to them as part of the approval process. This simple action dramatically improves the identity assurance of the authentication request.

How does it work? Essentially, when the user authenticates with their LoginTC app, they will be prompted select the number that is simultaneously being displayed to them on the connector login screen. This gives the user confidence that the LoginTC authentication request they see on their smartphone is the one that they themselves requested, and not a malicious request from an attacker.

For example, let’s say a user is at their desk but is not attempting to login to a LoginTC protected service. They receive a notification and perhaps inadvertently elect to click Approve. Now the approval process will not continue unless a number is selected. If the user isn’t trying to authenticate they won’t know what the number is, this will give pause to the user to access whether to move forward.

Here it is in action:

Step 1: A randomly-generated number is displayed at the connector login screen

Step 2: The user must select the correct number to successfully approve the request

Push number matching adds a mechanism to remind and challenge the user with a simple prompt before accepting a request. If an incorrect number is chosen, the request will not be approved. The user also has the option to mark the request as fraudulent.

How do I turn it on?

To enable push number matching for a specific application:

  • Log in to LoginTC Admin
  • Click Applications
  • Select the application you want to modify
  • Select the appropriate application policy
  • Under Authentication Methods Scroll down to Push Number Matching
  • Select Enabled
  • Scroll down to the bottom of the page and click Save

LoginTC Push Number Matching works on both the LoginTC Android and iOS apps, as well as the LoginTC Chrome extension.

For more details, like compatible connectors and LoginTC app versions requirements, explore our full documentation page for Push Number Matching.

Want to learn more?

If you’re a current LoginTC customer then good news! You have access to Push Number Matching already. If you need assistance with the new change, then you contact our support team.

If you’re not yet a customer and would like to learn more about LoginTC with a trial run or a quick demo, then contact us today.

Start your free trial today. No credit card required.

Sign up and Go