websights QR Code Authentication : Enhancing Security with Passwordless MFA

Looking for inwebo.com? You are in the right place! Read all about it in our blog post

Come and join us in person at upcoming industry trade shows and conferences

Enhancing Security with TrustBuilder’s Passwordless MFA Solution: Introducing QR Code Authentication

In the rapidly changing landscape of cybersecurity, organizations are continuously searching for ways to enhance their authentication processes and safeguard sensitive data. With a deep understanding of the need for stronger security measures, TrustBuilder is excited to unveil a substantial update to its Passwordless Multifactor Authentication (MFA) solution. This update introduces a cutting-edge authentication method, QR code scanning, which offers even greater convenience and security for users. Notably, QR code scanning serves as an effective countermeasure against push bombing attacks. In this blog post, we will delve into the details of this new feature and explore the multitude of benefits it brings to organizations and end-users alike.

QR Code article header

How to fight push bombing In a nutshell

TrustBuilder’s philosophy when building cybersecurity solutions has always been to combine a very high level of security with the largest compatibility and accessibility possible. This unique proposition has been the cornerstone of the inWebo MFA success and today’s evolutions under the TrustBuilder brand are no exception.

  • Turn your workstation and/or your browser into a trusted device = thanks to its unique Browser and desktop tokens, TrustBuilder makes sure a hacker cannot takeover your account even with stolen credentials
  • QR code scan working on all devices, with or without a camera = QR code scan authentication gets rid of unsolicited notifications, is much more secure than number matching and its combination with deeplinking technology makes it a breeze to use.

What is Push Bombing?

A push bombing attack is a type of cyber attack where an attacker repeatedly sends push notifications to a user’s device, overwhelming the user with an excessive number of notifications. This attack aims to disrupt the user’s experience and potentially distract them from other legitimate notifications. Push bombing attacks can be automated through scripts and can be particularly effective against applications that do not have proper defense mechanisms.

What enables a push bombing attack?

  • Operation initiated from an unknown environment

    Acquiring a list of credentials is now an easy first step to gain access to a user’s account and initiate a push bombing attack. If no additional checks are performed, it can be triggered from any browser.
  • Operation unlocked with a single tap of OK

    Enforcing two-factor authentication (2FA) solely with a login, password and possession factor (tap OK) increases the impact of push bombing, as end-users can accept by habits.
  • Lack of security awareness

    Lack of preventive actions to help users develop the right reflexes to identify suspicious authentication requests.

When searching for a method to mitigate the impact of Push Bombing attacks, customers should keep these requirements at the forefront of their thoughts.

  • Provide the lowest integration cost for their existing IT system
  • Minimize the end-user impact and require limited change management
  • Ensure the highest level of security
  • Support the widest range of applications

Introducing QR Code Scan Authentication

TrustBuilder’s latest update introduces QR code scan authentication as a new method within its Passwordless MFA solution. With this feature, users can now authenticate themselves by scanning a QR code using their smartphones or other compatible devices. This innovative approach streamlines the authentication process and makes sure that the user initiating the request is the one validating it thanks to device binding method.

How Does QR Code Authentication Work

When a user attempts to access a protected resource, TrustBuilder’s MFA solution generates a unique QR code specific to that user and session. The user then scans this QR code using the Trustbuilder Authenticator application or their smartphone’s camera. The scanned information allows the user to approve the authentication request. This request is then validated, provided of course that the device on which the validation takes place is enrolled and trusted.

QR Code Authentication, the TrustBuilder Way

TrustBuilder’s version of QR code scan authentication offers specific benefits in terms of both security and user experience.

Very high Security

  • Protects against social engineering
    • QR codes are linked to a user account and cannot be used on other devices without a trusted device.
    • Since there is no retyping by the end user involved in the process (unlike other methods like number matching), QR codes can carry complex and lengthy data (like a session id) much more difficult to hack than a two-digit code.
    • QR codes have a short validity time to prevent mass generation and upfront sending.
  • Reduces user acceptance in error
    • Link the channel on which the transaction was initiated with the channel on which the transaction is validated.
    • There is no way to access the pending transaction without the information embedded in the QR code and authentication of the trusted device.

Improved User Experience

  • Eliminates unsolicited push notifications
    • Push notifications have been replaced by QR code scanning. Users are shown the transaction to validate.
  • Adapts to user habits
    • Nowadays, users scan a QR code to get a restaurant menu, directions to a location, more information on a product or to download an app on the App Store or Google Play. It has become a mundane operation for most users.
  • Works from a browser on your trusted device
    • Deeplinks are available so that if you are working from your trusted device, you can authenticate directly from it rather than having to rely on an additional enrolled device
  • Works with a simple camera scan – no need to launch the dedicated app
    • Deeplinks are available to automatically launch the TrustBuilder Authenticator App when the user scans the QR code

Conclusion

TrustBuilder’s major update to its Passwordless MFA solution, introducing QR code scan coupled with deeplinking to make the experience totally seamless, revolutionizes the world of authentication methods. By adopting this efficient and innovative approach, organizations not only enhance security, simplify user experience, and reduce costs associated with traditional MFA solutions, but also effectively mitigate the threat of push bombing attacks.

With TrustBuilder’s ongoing commitment to continuous improvement and addressing evolving security needs, organizations can confidently embrace QR code authentication as a powerful method of step-up authentication, ensuring both security and convenience for all stakeholders involved.