PUSH authorization services via mobile apps

We are pleased to introduce community service PushAuth, which allows Your customers to log in using PUSH messages on your mobile device!

This idea is not new and many companies in their applications are already using this technology. Everything looks simple enough until you consider the issues of: security, management of devices and clients, interoperability and comfortable operation.

How did the idea?

We use a lot of services: email, social networks, CRM system, access control system, client-banks, etc. Each of the services, how to access necessary to use the username/email and password. You can already conclude that:

Almost all of us have email. the

1. Passwords in most cases the same everywhere. (We assume that we do not use third-party services, such as 1password and others)

on the Basis of two paragraphs, like:

the
1. to Use this one email for authorization.
the
2. do Not use passwords at all.

What happened?

We in mobile applications for the registration of the don't use passwords at all. Yes, no need to remember another password. For registration/authorization in a mobile application, it is sufficient to enter only the email address, which will be sent an email with a link to confirm the action. After entering email — You will automatically enter the app without registering.

What are the types of authorization?

Now there are two basic types of authorization requests:

the
1. Push the question for authorization, which the client must answer Yes or No. For this method service is available routing, which just below.
the
2. Push code that the owner of the service sends to the mobile client application by means of the service PushAuth.
the
3. QR-authorization, which allows you to scan the code a mobile client application and pass the authorization. This method is already at the stage of closed testing mobile applications and soon will become available.

Mobile apps

the

the
• To deliver PUSH notifications to Android & iOS we use FireBase Cloud Messaging. All data transferred from the mobile application to the server PushAuth sign HMAC SHA-256, personal private keys.
the
• Mobile app has an optional PIN protection (TouchID-password), which increases the level of security from unauthorized access.
the
• We plan to develop an SDK that will allow you to use the API functionality to Your mobile applications.
the
• Customers can have 10 devices that will be able to come PUSH requests. Answering one of the devices, on other devices, Push answers are ignored. We plan to hide Push messages to other devices when you reply to one.

Push the question

Push code

Applications now available

Backend

For owners of the services available detailed statistics about the status of the authorization of their clients. You can create for each service a separate Application and monitor its use. In addition, You can configure the Web hooks that send data authentication:

the

QR codes

the

Push requests

the

TimeOut customer responses

Where do I use it?

CRM

let's Start our flight of fancy with IT services, such as those of CRM systems where there is a need to confirm the action of the employee. For example, the routing, it is possible to make it so that the signing of the document, then a confirmation guide. Thus, the overall picture looks like this:

the
1. the Employee initiates an action and receives a PUSH request and responds with Yes.

His immediate superior receives the PUSH request and responds with Yes. the

2. Above standing head receives the PUSH request and responds with Yes.
the
3. the Result of all actions will be Yes

If at some stage someone will answer No, following the parent link will not receive a PUSH request and the overall result of the query response is Not

Above we have described the operation of the service routing with the order. But this service may be used without the order. This means that all the links of the chain (employees) will receive both a PUSH request. And only if all of them answered positively, only then will the overall result of the query will be positive.

Web site

Two-factor or a simple one-factor authorization can simplify or secure access to internal resources. For example to access the web-admin panel WordPress the same when You give access to its contractor/developer and want to strictly control it by means of Push requests authorization.

OS

Use SSH/telnet access? Or want opening the lid of your laptop to request authorization? Then this service is simply the perfect option.

Engineering and equipment

You can optionally on an industrial scale to implement the feature access (safe, Elevator, turnstile, alarm) with the help of mobile application.

Security

This is the most important issue in this service. You should pay for things such as data exchange between the Service user <--> Server PushAuth <--> the client Application.
All data is transmitted over HTTPS (TLS), signed HMAC, SHA-256. Each client and user of the service has its own pair of Public & Private Key. The public key in our case is necessary for identification in a network shared repository and may be transmitted in the clear. The private key is transmitted in a reliable way. In the case of mobile apps — all the keys are only transmitted via apns/GCM. Therefore, we provide additional protection on the level of certificate data services.

APIs and libraries

We have described the detailed API for the service. Generate and send request, receive reply and decode data. All available at the link.

At the moment one of the main tasks is the writing of libraries to work with the service to reduce the barrier to entry for service users. So now available:

the

the
• PHP library
the
• Java library
the
• C++ console application

We need: Python, Go, Ruby, Node, .NET — libraries. And in PHP, framework packages, e.g. WordPress, Laravel and others. To log in to Linux via SSH/Bash LogOn required. so module.

If You are interested to help the project — we look forward to providing PREMIUM 6 month account.

Article based on information from habrahabr.ru