NIST says push authentication over OOB is in, out-

Quote:

---

Enter OOB push authentication using push notifications, which is getting a thumbs up from NIST. To quote, “If out of band verification is to be made using a secure application (e.g., on a smart phone), the verifier MAY send a push notification to that device.” Since this method involves an app that is installed on a user’s device, the above fraud scenario wouldn’t apply. How does it work? When accessing a protected resource, a push notification is sent to the user’s mobile device. The user opens the OOB app, taps to approve the login request, and is then logged in to the resource. Interestingly, Gartner predicts that, “By 2019, 60% of phone-as-a-token deployments will use out-of-band push modes for the majority of users, up from less than 10% today. ”

NIST’s new guidelines have made the headlines as a result of the wide adoption of SMS-based OOB by leading social media and retail sites. The method’s pervasiveness largely stems from its ease of use, and the fact that websites don’t have to distribute any hardware or software, and can support any ‘dumb phone.’ With the evolving nature of digital fraud, it only stands to reason that NIST should evolve their guidelines to keep up with today’s mal-doers.

At the end of the day, being able to use Push authentication and other strong authentication methods is all about choice, flexibility – and making sure that the assurance level used is appropriate to the sensitivity of the assets being accessed. So although NIST has given a “thumbs down” to SMS authentication, organizations still have at their disposal a wide range of authentication methods that provide excellent levels of security combined with an easy and unobtrusive user experience.

---