Using Push Notifications for MFA

By Zach DeMeyer Posted January 22, 2020

Multi-factor authentication (MFA) is now one of the core methods for securing user access to IT resources. Many organizations are evaluating their options for adopting MFA policies. One such option is push notification-based MFA, but what benefits does it offer over other options?

For starters, let’s first talk about MFA in general, as well as several of the MFA options available.

What is MFA?

Multi-factor authentication (also called two-factor authentication or 2FA) is the practice of requiring an additional factor beyond the standard username/password combination requested at most logins. Oftentimes, these factors are colloquially known as “something you know, something you have, and something you are.”

“Something you know” includes username/password credentials, but also applies to security questions or similar factors. “Something you have” pertains to device-based MFA options like mobile passcodes or physical keys. “Something you are” generally refers to biometrics. We will go into more detail on these later.

Why Use MFA?

According to Symantec, 80% of recent breaches could have been prevented with the use of an additional authentication factor. This statistic makes sense considering Verizon found that around 81% of data breaches in the past several years were due to compromised credentials. If said credentials were backed by MFA, the perpetrators who compromised them would have a significantly harder time leveraging them in an attack.

But, how much of an effect does an additional factor have? Well, Google’s security blog studied the effects of MFA on account takeovers. Here’s what they found:

The chart above details the efficacy of the six most popular “something you have” and “something you know” MFA methods. Clearly, MFA has significant security benefits when protecting compromised credentials against a full takeover and breach.

Despite this, LastPass reports that only 26.5% of businesses surveyed enforce some form of 2FA on their accounts. With that in mind, let’s talk about the variety of ways an organization can implement multi-factor authentication.

What MFA Options Are Available?

SMS-based MFA

SMS-based MFA is one of the more widely-used forms of MFA in use today. This method sends a login code to an end user’s phone or email. Once they have the code, they present it after their credentials at login. Per the Google chart above, SMS-based MFA offers effective security for automated and bulk phishing attacks, but is less effective for accounts that are being specifically targeted.

Time-based One-Time Password (TOTP)

TOTP MFA utilizes a randomly generated code similar to that of SMS-based MFA. Unlike SMS, however, TOTP codes are usually generated via an app like Google Authenticator, and are only valid for a 30 second interval. After that time, a new code is generated, rendering the previous one null.

TOTP is generally considered more secure than SMS, falling under the “On-Device Prompt” classification in the chart above. TOTP is continuing to gain in popularity although some users find it cumbersome. It is, however, quite easy to manage for IT admins.

Physical Keys

Physical key-based MFA is akin to a digital version of a tangible lock and key. Each physical key — often represented in the form of a USB stick like Google Titan — is unique to its user. As long as the user maintains possession of their key, their authentication should be hyper-secured. Google backs this up in their report, claiming 100% efficacy at blocking most major forms of attack.

While incredibly secure, physical key MFA has its own headaches. For starters, physical keys take a significant amount of effort on part of the IT admin to implement and tie in to each individual end user. Beyond that, there’s always potential for a physical key to be lost or stolen. In this case, an end user will be locked out of their associated accounts until the key is found or replaced.


Science fiction has long speculated on the extent of biometric authentication, often represented by retinal scans and voice/facial recognition. Today’s day and age have made such biometrics a reality. Biometrics exemplify the “something you are” MFA factor, and are an up and coming MFA method. Many people utilize biometrics in the form of a fingerprint reader on their smartphone or laptop.

When it comes to biometric MFA in the enterprise, however, the practice is more of fiction than fact. Technology has not yet advanced to the point where biometrics can be used effectively at scale. Despite the fact that biometrics present a hyper-personal form of MFA, it will probably be some more time before it’s used en masse.

Push Notifications

While there are several other forms of MFA, such as knowledge or location-based challenges, the final method we’ll address is push notification-based MFA. Like TOTP, push notifications fall under the “On-Device Prompt” classification, meaning it’s significantly more secure than using a set of credentials alone.

But unlike TOTP, push notifications utilize smartphone notifications to assert authentication. In doing so, end users simply have to press a button on their phone to approve or deny access. If an unauthorized party attempts to access their account, they can deny them outright. End users generally find this method of MFA to be convenient. Additionally, push notification-based MFA provides increased levels of security compared to SMS MFA while avoiding the hassles of implementing physical keys.

The downside of Push Notifications is that it requires another app on your phone. Many end users are reluctant to add additional applications, so this can stunt the roll-out of Push-based MFA.

As a potentially “best of all worlds” type of MFA, push notifications are growing in popularity. So, the question becomes, how can organizations enforce the use of push notifications for MFA?

Using Push Notifications for MFA

IT organizations can use several different solutions to enforce MFA push notifications across their user base. Of course, another key point to keep in mind when considering MFA push notifications is which IT resources need to be protected.
If your organization is interested in using push notifications for MFA, please contact us. We’d be happy to assist you.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts