Support for push-notification MFA with number matching
jacwil opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
Some mobile authenticator apps support push notifications to approve sign-ins. Examples are Microsoft and Okta. This is a little more accessible than TOTP for users that have troubles entering the changing TOTP code before it expires; instead they would tap the appropriate number on their authenticator app. It is also more secure than SMS, which is vulnerable to SMS intercept attacks.
Describe your ideal solution
The number matching ask is to address "MFA fatigue" where a user is flooded with MFA requests, better described in the CISA (.gov) document, "Implementing Number Matching in MFA Applications" from October 2022. Unfortunately the current implementations at first glance appear to be vendor specific where the vendor has its own phone app that works with their identity service. But that is what I'm inferring from the lack of documentation for how to interface with existing authenticator apps to trigger a push notification authentication flow. Based on my assumption, this feature would require writing and maintaining a Kratos authenticator app for Android and iOS.
Workarounds or alternatives
TOTP. But my concern would be the TOTP url/secret being compromised on the Kratos server where it appears to be stored in cleartext unlike salted passwords. A workaround would be to encrypt the totp_url before storing it. Side note: I am also making an assumption the totp_url is stored cleartext in the database from looking at source code and have not examined my local db contents to confirm.
Version
N/A
Additional Context
No response