Dear Community,
As thousands of users have embraced the Simple-Push mechanism for its user-friendly approve/deny buttons during login, we recognize its benefits in providing a seamless authentication experience. However, as convenient as it is, this system could potentially introduce security risks if a user accidentally approves a login request that wasn’t initiated by them.
To address this, RCDevs has introduced 3 exciting new features in OpenOTP Server and Token (versions mentioned above) that further improve both security and user experience.
1. Simple-Push with Confirmation Code
This feature adds an extra layer of security to the Simple-Push mechanism. After a user approves a login, a confirmation code (ranging from 2 to 4 digits) is displayed on the mobile application. This code must then be entered into the client application during the challenge-response prompt sent by the OpenOTP server.
For web applications, like the RCDevs SAML/OpenID Identity Provider, a keypad will be displayed on the screen where users must type the confirmation code to complete the authentication process.
2. Client Policy Selection
In same scenarios, after approving a login, users will be prompted on the mobile app to select the client system they are trying to log into. The correct client policy must be selected to grant access to the corresponding application. This feature adds an additional level of verification to prevent accidental approval.
Both the Simple-Push confirmation code and client policy selection can be configured under the Simple-Push Commit setting in the OpenOTP Server configuration.
The available options include:
- `code2`, `code3`, `code4` for the confirmation code with 2 to 4 digits.
- `client` for the client application selection. Your system need at least 3 client policies configured.
These 2 modes can be enabled per user, per group or per client policy!
3. RejectIP Feature
The third new feature allows users to reject unauthorized login attempts and block the public IP address that initiated the attack for one hour. If the login is rejected, the malicious IP is temporarily blocked for that specific user, preventing further authentication requests and reducing the likelihood of additional attacks from the same source.
This security feature can be enabled in the Mobile Push Options section of the OpenOTP Server configuration under the RejectIP setting.
These new features are designed to improve security and protect users from unauthorized access, while still maintaining the ease of use that the Simple-Push system provides.
We hope these updates enhance your authentication experience!
Let us know what you think or if you have any questions.