Secure Users Against Push Fatigue and Push Attacks
What are push attacks? Push attacks are used by malicious actors whose goal is to get past mobile push-based multi-factor authentication (MFA). The malicious actor spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale, even a low success rate of less than 3% is significant.
Push attacks are a growing concern among security experts, and many of today’s MFA solutions offer push authentication as a form of MFA. That’s why the latest HYPR Cloud Platform 6.12 offers a technology preview of QR code login.
No Passwords, No Push, Just Scan QR to Log In
6.12 now enables users to log into their SSO-managed web apps by scanning a QR code with the HYPR App or camera on their smartphone.
QR code login is a passwordless MFA alternative in situations where push notifications to the mobile device aren’t available, or undesirable from a security standpoint.
Before partnering with HYPR, a higher education customer struggled to secure their 3,500-person University campus with their existing password-based login and potential push-related security risks. Push fatigue inadvertently allowed access to another user who correctly guessed the victim’s username and spammed their account for a push authentication.
QR code login is impactful because it prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone.
Device pairing is still required to register a trusted device, so the QR code will only prompt the user to verify their identity with their registered device.
HYPR Cloud Platform 6.12
In addition to QR code login, another notable update includes our API Endpoint Security Enhancement feature. This feature further improves the overall security posture across components of the HYPR Cloud Platform by passing an encrypted token to the HYPR Server when making internal API calls.