Multi-numbered challenge is a multi-factor authentication solution that provides enhanced security to the already known Push factor.
In this article, we're describing how to implement Futurae multi-numbered challenge authentication, and why it stands out when it comes to preventing Multi-Factor Authentication (MFA) fatigue attacks.
MFA fatigue attack
An MFA fatigue attack, or push notification spam, occurs when a malicious actor exploits an application capable of sending push notifications to overload users with a barrage of notifications. The ultimate goal is to create confusion and induce users to approve at least one of the authentication sessions, granting the attacker access to the user account.
Why multi-numbered challenge?
By adding a multi-numbered challenge step to a push notification based authentication, instead of simply approving the authentication, the user needs to pass a number challenge by choosing on the authenticator app the same number which is displayed on the customer application (where the user started the login or transaction signing request). The authentication is approved only if the user successfully completes the number challenge.
This way multi-numbered challenges prevent users from instinctively approving the authentication on scenarios of MFA fatigue attacks.
How does it work?
The Push authentication with multi-numbered challenge flow starts when the customer application calls the Futurae Auth API Push factor endpoint, while having the multi-number challenge feature enabled (see Implementation steps below). The Futurae backend consequently returns a solution for the multi-number challenge, in other words the number that the user needs to select in order to approve the authentication. The multi-number challenge solution is then displayed to the user by the customer application.
On the user side, a push notification is sent by Futurae to the user’s enrolled device on which the authenticator app that integrates the Futurae mobile SDK is installed. When the user opens the push notification or the authenticator app directly, a multi-number challenge consisting of a list of numbers is displayed, instead of the typical approve or reject screen. The multi-number challenge can also be displayed even if the push notification is not delivered, as long as the user opens the authenticator app while the authentication session is pending.
The user then needs to select the right number (the same number that was previously provided to the customer application). The Futurae mobile SDK, which is embedded in the authenticator app, will communicate the number chosen by the user to the Futurae backend, which by its turn will verify if the user correctly answered the multi-number challenge, and update the authentication result accordingly.
If the numbered challenge solution provided by the user is correct, the authentication is approved, otherwise rejected.
- Contact email@example.com to enable multi-number challenge verification for your Futurae Service(s).
- When the end user is successfully logged in on the customer application, call Futurae Authenticate with One-Touch to start a Push 2FA.
- In a successful scenario, Futurae Auth API replies with 200 OK and a response payload containing a
multi_numbered_challenge_valueattribute. At the same time, the Futurae backend sends a push notification to the user-registered 2FA device.
- Display the
multi_numbered_challenge_valueto the end user on the customer application.
- The user receives the push notification to approve the authentication on the authenticator app already registered with their 2FA account.
- Get the multi-number challenge data from the mobile SDK. This data consists of a list of numbers that shall be presented to the user as a challenge. To fetch the multi-number challenge:
On Android - Call SDK getAccounts to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Finally, call the sessionInfoById function and pass as argument the
user_idthat has pending multi-number challenge sessions, in order to get the respective multiNumberedChallenge attribute that corresponds to the list of numbers which shall be presented to the user as a challenge. This step can also be executed every time the app is brought to foreground, so that the pending sessions can be displayed to the user if the app is launched, even if the push notification was not received.
On iOS - The multi-number challenge is included in the push notification payload, and can be accessed through the
multi_numbered_challengekey of the
authenticationInfodictionary provided by
approveAuthenticationReceivedas described on our iOS SDK guide here. Alternatively, call the SDK getAccounts method to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Lastly, call the SDK
getSessionInfomethod to fetch the
multi_numbered_challengeattribute. This alternative can also be used every time the app is brought to the foreground to fetch pending multi-number challenge sessions, even if the push notification was not received.
- On Android - Call SDK getAccounts to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Finally, call the sessionInfoById function and pass as argument the
- Display the multi-number challenge numbers to the user.
- Once the user chooses the multi-number challenge solution, call the SDK function to approve the session and pass the number chosen by the user:
Android - Call SDK
approveAuthfunction and provide the
multiNumberedChallengeResponseanswered by the user. Refer to the Approve with Multi-Numbered Challenge section of our Android SDK guide.
iOS - Call SDK
approveAuthWithUserIdmethod and pass the multiNumberChoice answered by the user. Refer to Approve with Multi-Numbered Challenge section of our iOS SDK guide.
- Android - Call SDK
- Handle the SDK response and display the result accordingly to the user.
Multi-number challenge authentication flow
For any technical support, do not hesitate to contact firstname.lastname@example.org.