Back in the days two-factor would equate to same a RSA token, the key fob looking dongle that would output digits on a frequency of a one or half of a minute. These key fobs proved relatively convenient for people to carry around and use, albeit they were somewhat expensive for companies to acquire.
Partly for which, somewhere near beginning of the millennia, methods such as on-demand authentication, instant login and token-less login stepped in, each usually referring to a method of authentication that would circumvent the cost in one needing to acquire hardware authenticators, sometimes boldly claiming to revolutionise more or less everything in authentication. Usually the revolutionary two factor meant sending a one time digit sequence to a user as a short message. Finally, none of the entrants really turned out a ‘token killer’, unlike many predicted, whereas short messages for example, although undisputedly convenient, ended up more of a niche than a mainstream. However some methods did gain popularity outside the corporate landscape, in banks or as eID factors.
For long, literally decades, hardware tokens were the only 2FA a company could reliably roll out, if just given with enough money for cover the costs, in particular the costs in token logistics. While that can sound like sheer exaggeration, one has to remember the token logistics were never really the problem, just the cost of it. If a token would break or get lost, solving that out only needed money, but even money didn’t help when a SMS did not get through, or an early mobile token app failed to install. So for most companies, tokens were the only two factor that had no bumps on the road that couldn’t be ironed out, with money if nothing else.
It wasn’t until the introduction of cloud and wave of mobile apps that two factor landscape started to look a little different. Giants like Google rolled out free authenticators and mobile based two factor became no longer a question of cost or compatibility. That renaissance of two factor was then accumulated with two factor vendors spotted that there existed a way to send notifications to mobile apps and with that, the new mainstream of two factor authentication was born.
As it now stands, any company with a web service can easily inaugurate two factor, without being pulled into myriad of obstacles lurking in shadows of corporate identity and access. There aren’t great many myriads around what in technical terms is called push login, a relatively straightforward concept of conveying user a prompt to accept or reject a login, right there where its most convenient, on mobile screen.
Which brings up question of why push login isn’t then used all over? Whereas it still looks great many companies rely upon the ‘good old’ hardware authenticators, the one one time code generators that looked the same nearly 30 years back, some on more sophisticated variants like U2F. Sticking to classics or basics isn’t of course always a bad thing, from angle of security sometimes even advisable, but compliance and risk mitigation are hardly the only reasons why so many still like to unpack a box devices on IT department desk and individually ship them out to anyone wanting or needing dial back to the company resources.
The answer is, push login is far too easy to be ignored when a company IT is lined up in cloud, but significantly less straightforward when company holds its roots down in on-premise. For many cloud based services, Push login and two factor in overall, are already part of the plumbing, take AzureMFA for example. In cloud, single sign-on is not only buzzword from last millennium, but reality with bearer tokens flying all over the Internet like blood vessels in a human blood circulation system.
While down in on-premise, a long line of services exist such that have little or no means, or even need, to be interconnect with federated world of cloud. If a company then isn’t ready for example for a full blown AAD shipping with push login in it, what options there are to get Push login ?
Here we like to start a series of blog posts that will walk through the steps to incorporate push login to our daily corporate services, not only to those in cloud. Starting with a scenario we are all very familiar with, to login of our own Windows.