On 23/4/23 21:03, David Mehler wrote:
I'm trying to get 2FA going for some users. I'm finding the user experience difficult to sell as they don't like entering the user codes. What I'm trying to do is get 2FA push notifications going, where they get the notification of where the authentication is being made from and other information, and they just tap confirm.
Microsoft has an interesting approach, whereby the user is required to enter a two-digit code into the mobile authentication application which is displayed on the device used to log in. This should prevent authentication fatigue, as it is known, in which the threat actor make repeated authentication attempts until the user consents. I don't know whether there are other authentication tools that do the same, but it's more secure than prompting for confirmation alone. Have you considered an option involving security keys, for example FIDO 2 or operating as smart cards?