We are pleased to introduce PushAuth to the community, which allows your customers to log in using push messages on their mobile device!

This idea is not new and many companies already use this technology in their applications. Everything looks quite simple, until you consider the issues: security, device management and customer management, compatibility and comfortable work.

How did the idea come about?

We use a lot of services: email, social networks, CRM-systems, access control systems, client-banks and so on. For each of the services, as is correct, for access you must use the login / email and password . We can already conclude that:

1. Almost all of us have email.
2. Passwords are usually the same everywhere. (We will assume that we do not use third-party services, such as 1password and others)

Based on two points, I wanted:

1. Use this one email for authorization.
2. Do not use passwords at all.

What came of it?

We in mobile applications for registration do not use passwords at all . Yes, there is no need to remember another password. For registration / authorization in the mobile application, it is enough to enter only an email, which will receive a letter with a link to confirm the action. After the next input email - you will automatically enter the application without registering.

What types of authorization?

Two main types of authorization requests are now available:

1. Push an authorization question in which the client needs to answer: Yes or No. For this method, the service is available routing , about which just below.
2. Secure Push-code , which the owner of the service itself sends to the client’s mobile application by means of the PushAuth service.
3. QR authorization , which allows you to scan the code by the mobile application of the client and pass authorization. This method is already at the stage of closed testing by mobile applications and in the near future will also be available.

Mobile applications

• To deliver PUSH messages on Android & iOS, we use FireBase Cloud Messaging. All data transferred from the mobile application to the PushAuth server is signed by the HMAC SHA-256, personal private keys.
• The mobile application has an additional PIN-code protection (TouchID-password), which increases the level of security against unauthorized access.
• We are planning to develop an SDK that will allow the use of API functionality in your mobile applications.
• Customers can immediately have 10 devices that can receive push requests. By answering one of the devices, on other devices, Push responses are ignored. We plan to hide Push messages on other devices when responding to one.

Push question

Secure Push Code

Applications are already available:

Backend

For owners of services available detailed statistics on the status of the authorization of their clients. You can create a separate Application for each service and monitor its use. In addition, you can configure the web hooks that will send authorization information:

• QR codes
• Push requests
• TimeOut customer responses

Where can this be used?

CRM

Let's start our flight of fancy with IT-services, for example, the same CRM-systems, where there is a need to confirm the action of the employee. For example, thanks to the routing service, it is possible to make sure that in order to sign a document, management confirmation is necessary. Thus, the picture as a whole looks like this:

1. The employee initiates the action and receives a push request and responds Yes .
2. His immediate supervisor receives a push request and responds with Yes .
3. The superior manager receives a push request and responds with Yes .
4. The result of all actions will be Yes

If at some stage someone answers No , then the next higher level will not receive a push request and the general result of the request will be No.

Above, we have described the work of service routing with priority. But this service can be used without order. This means that all links in the chain (employees) will receive a push request at the same time. And only if all of them respond positively, only then the overall result of the requests will be positive.

Web site

Two-factor or simple single-factor authorization on the site can simplify or secure access to internal resources. For example, to access the admin web panel of the same WordPress, when you give access to your contractor / developer and want to strictly control it by means of push-requests for authorization.

OS

Do you use SSH / telnet access? Or do you want to open the cover of the laptop to receive a request for authorization? Then this service will be just the perfect option.

Engineering and Equipment

You can additionally commercialize access to objects (safe, elevator, turnstile, alarm) using a mobile application.

Security

This is the most important issue in this service. It is worth paying attention to such things as data exchange between the User’s Service <-> PushAuth Server <-> Client Application.
All data is transmitted over HTTPS (TLS), with the HMAC signature, SHA-256 algorithm. Each client and user of the service has its own pair of Public & Private Key. In our case, the public key is necessary for identification in the general network storage and can be transmitted in the clear. The private key is transmitted securely. In the case of a mobile application, all keys are transmitted only via APN / GCM. Thus, we provide additional protection at the level of certificates of these services.

API and libraries

We have described a detailed API for working with the service. Generating and sending a request, receiving a response and decoding data. Everything is available by reference .

At the moment, one of the main tasks is to write libraries to work with the service to reduce the threshold for users to enter the service. Therefore, now available:

• PHP library
• Java library
• C ++ console application

We need: Python, Go, Ruby, Node, .NET libraries. And also in PHP, framework packages, for example under WordPress, Laravel and others. For authorization in Linux via SSH / Bash LogOn, a so-module is required.

If you are interested in helping the project , we will be happy to provide a PREMIUM 6 month account.