Identity in Engineering

Push Notifications-based 2-step Verification

By: Anand Bahety

To create a trustworthy online marketplace, we need to ensure only authenticated and authorized users gain access to their accounts. Learn how eBay built a secure, easy-to-use, and robust authentication framework using push notifications and leveraged it for 2-step verification.

The identity and authentication landscape is rapidly evolving and using passwords as a primary source of authentication is no longer a reliable option. Two-step verification or two factor authentication (2FA) help add an extra layer of security where users need to provide additional authentication factors before they can gain access to their account. However, the security and effectiveness of these mechanisms depends on the methods used and how they are implemented.

Why push notifications-based 2FA?

Typical authentication methods used to offer 2FA are either less secure or susceptible to malicious attacks. SMS-based 2FA is widely adopted online due to its simplicity. But it is susceptible to man-in-the-middle (MITM) attacks and has been declared insecure by the National Institute of Standards and Technology.

Authenticator-based apps or hardware tokens that generate one-time passcode require a common secret (seed) to be shared between the server and client, making it susceptible to server-side attacks. Relying on third-party authenticator apps requires users to download additional apps on their devices and can be ineffective if there is not enough ongoing support and maintenance to keep it up to date. Hardware tokens are also not scalable from a usability and cost perspective.

With the increasing use of smartphones as personal devices, the widespread adoption of eBay mobile application on popular mobile platforms, and push notifications providing a user-friendly and seamless access to eBay application, push notifications become an attractive option to leverage for authentication.

Design goals

While designing a push notifications-based authentication framework, we had the following security considerations to begin with:

  • No sensitive data to be passed over the wire
  • No shared secrets between client application and server
  • Leverage industry authentication standards wherever feasible
  • Aim for reliable, easy-to-use and robust authentication framework. 2FA should be a use case to leverage this framework, but don't just build a 2FA-specific product.

With these specific design goals in mind, we decided to use push notifications as a delivery mechanism and standard public key cryptography techniques on a user’s mobile device for stronger authentication. We use the FIDO UAF 1.0 protocol specification for registration and authentication to securely authenticate requests and responses between client and server. eBay mobile applications already have built client libraries implementing that protocol, hence it was an obvious choice for us to use the same technology for 2FA as well.

Registration process

An eBay application with the FIDO client library on mobile devices constitutes the client side, while a FIDO server hosted on eBay servers forms the server-side components. A user needs to be authenticated in the eBay application for this process to start.

registration

  • During this process, the mobile device initiates the registration request against the server to register itself to receive authentication-related push notifications.
  • Once the user approves the enrollment process, the client generates an asymmetric cryptographic key pair, stores the private-key securely on the device and sends the public-key back to the server where it is stored against the authenticated user and device. This completes the process and marks the device as trusted and authorized to receive and approve push notification requests for authentication.
  • We leverage the FIDO UAF registration request protocol for request-response messaging.

Authentication process

authentication

  • In this process, first the user presents primary set of credentials (like username/email and password) to eBay sign in screen. On successful validation of this input, the server creates a unique, securely random, short-lived, and one-time use transaction identifier and links all the related data on the server side for the user’s attempt. It then sends a push notification to the user’s registered device with this identifier as part of the notification request payload only.
  • On receipt of this push notification, the eBay application initiates the authentication approval request by verifying the incoming payload against the server to make sure it’s not a stale or invalid request.
  • The eBay application then asks the user to approve the login attempt. On approval, the application uses the private key securely stored on the device to sign the request payload obtained in the first step and sends the cryptographic signature and transaction identifier back to the server for verification. Even if user wants to reject the request, the same process is followed to ensure that only an authorized device is able to reject a login attempt.
  • The server verifies the signature with the public key stored in the database and approves the login attempt. The user then gains secure access to the account.
  • We use FIDO UAF authentication protocol for request-response messaging.

Deregistration process

A user can use their mobile device to deregister, which causes the private key to be deleted on the client side and the public key on the server side. Another option is to sign in to your account on the web, which prompts 2FA, because the user still has it active and then deactivate it, which causes the server to delete the public key only, which indirectly renders the private key on user’s device not usable.

Feature highlights

Let’s take a closer look at the subtle nuances of this architecture to understand its benefits and also spot check to see whether we achieved the goals set forth upfront.

  • During the registration process, the client never sends the private key (secret) to the server. Only the public key is shared with the server. Hence, no shared secrets.
  • The server stores only the public key. Hence, the system is not susceptible to server-side attacks.
  • During the authentication process, the client sends only signed data along with transaction identifier to the server. No sensitive data is passed over the wire.
  • The push notification payload doesn’t need to be encrypted, as it contains only a transaction identifier, avoiding a complex set up of end-to-end TLS between client and server.
  • Given that no secret or sensitive data is sent over the wire, this protocol is not susceptible to MITM attacks.
  • FIDO is the current industry standard for simple and stronger authentication, and we leverage that for this framework.
  • This framework forms the basis for several features like password less authentication, trusted device management, step-up authentication and many more. It’s not just a 2FA product.

Let’s experience it firsthand

If you want to enable push notification-based 2FA against your eBay account:

  1. Download the latest version of the eBay app.
  2. Sign in to your account.
  3. Go to My eBay > Settings > Signing In > 2 step verification.
  4. Turn "eBay Verify" on.

Congratulations!! You have just made your eBay account more secure. Here is a snapshot of the login experience once you have enabled it.

push2fa

Want to jump into the code and try out the FIDO UAF server or client side components? Check out eBay’s open libraries here.

Summary

This article presents a secure, easy-to-use, and robust authentication framework using push notifications, which has helped enhance eBay’s current 2FA offerings, form a rock-solid foundation for authentication, and create a safe and trusted online marketplace experience.

Tags: 2FA, Authentication, Identity, Push Notifications, Security