This feature was previously known as Multi-numbered challenge.
Number matching is an added layer of protection for push-based multi-factor authentication (MFA). It helps ensure that users only approve login or transaction requests they actually initiated, reducing the risk of successful MFA fatigue attacks.
MFA fatigue attack
An MFA fatigue attack, or push notification spam, occurs when a malicious actor exploits an application capable of sending push notifications to overload users with a barrage of notifications. The ultimate goal is to create confusion and induce users to approve at least one of the authentication sessions, granting the attacker access to the user account.
Why number matching?
By adding a number matching challenge step to a push notification based authentication, instead of simply approving the authentication, the user needs to pass a number challenge by choosing on the authenticator app the same number which is displayed on the customer application (where the user started the login or transaction signing request). The authentication is approved only if the user successfully completes the number challenge.
This way number matching verifications prevent users from instinctively approving the authentication on scenarios of MFA fatigue attacks.
How does it work?
The Push authentication with number matching flow starts when the customer application calls the Futurae Auth API Push factor endpoint, while having the number matching feature enabled (see Implementation steps below). The Futurae backend consequently returns a solution for the number matching challenge, in other words the number that the user needs to select in order to approve the authentication. The number matching solution is then displayed to the user by the customer application.
On the user side, a push notification is sent by Futurae to the user’s enrolled device on which the authenticator app that integrates the Futurae mobile SDK is installed. When the user opens the push notification or the authenticator app directly, a number matching challenge consisting of a list of numbers is displayed, instead of the typical approve or reject screen. The number matching can also be displayed even if the push notification is not delivered, as long as the user opens the authenticator app while the authentication session is pending.
The user then needs to select the right number (the same number that was previously provided to the customer application). The Futurae mobile SDK, which is embedded in the authenticator app, will communicate the number chosen by the user to the Futurae backend, which by its turn will verify if the user correctly answered the number matching challenge, and update the authentication result accordingly.
If the number matching solution provided by the user is correct, the authentication is approved, otherwise rejected.
Implementation
- Contact support@futurae.com to enable number matching verification for your Futurae Service(s).
- When the end user is successfully logged in on the customer application, call Futurae Authenticate with One-Touch to start a Push 2FA.
- In a successful scenario, Futurae Auth API replies with 200 OK and a response payload containing a
multi_numbered_challenge_valueattribute. At the same time, the Futurae backend sends a push notification to the user-registered 2FA device. - Display the
multi_numbered_challenge_valueto the end user on the customer application. - The user receives the push notification to approve the authentication on the authenticator app already registered with their 2FA account.
- Get the number matching data from the mobile SDK. This data consists of a list of numbers that shall be presented to the user as a challenge. To fetch the number matching challenge:
-
On Android - Call SDK getAccounts to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Finally, call the sessionInfoById function and pass as argument the
user_idthat has pending number matching sessions, in order to get the respectivemultiNumberedChallengeattribute that corresponds to the list of numbers which shall be presented to the user as a challenge. This step can also be executed every time the app is brought to foreground, so that the pending sessions can be displayed to the user if the app is launched, even if the push notification was not received. -
On iOS - The number matching data is included in the push notification payload, and can be accessed through the
multi_numbered_challengekey of theauthenticationInfodictionary provided byapproveAuthenticationReceivedas described on our iOS SDK guide here. Alternatively, call the SDK getAccounts method to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Lastly, call the SDKgetSessionInfomethod to fetch themulti_numbered_challengeattribute. This alternative can also be used every time the app is brought to the foreground to fetch pending number matching sessions, even if the push notification was not received.
-
On Android - Call SDK getAccounts to fetch the SDK enrolled accounts, followed by getAccountsStatus that returns the pending sessions available for the provided accounts. Finally, call the sessionInfoById function and pass as argument the
- Display the number matching challenge to the user.
- Once the user chooses the number matching solution, call the SDK function to approve the session and pass the number chosen by the user:
-
Android - Call SDK
approveAuthfunction and provide themultiNumberedChallengeResponseanswered by the user. Refer to the Approve with number matching section of our Android SDK guide. -
iOS - Call SDK
approveAuthWithUserIdmethod and pass the multiNumberChoice answered by the user. Refer to Approve with number matching section of our iOS SDK guide.
-
Android - Call SDK
- Handle the SDK response and display the result accordingly to the user.
Push Authentication with number matching
For any technical support, do not hesitate to contact support@futurae.com.
Comments
0 comments
Article is closed for comments.