Introducing Authy Push

Cem Paya
Cem Paya in Gemini
Mar 9, 2018 · 5 min read
Gemini enables added security with Authy push notifications for transaction approvals

Sessions vs transactions

Most consumer-grade authentication systems operate at the level of sessions. Users provide their credentials — which may involve multiple factors such as a password in conjunction with a short-lived, one-time passcode. This initial step creates an authenticated “session” lasting for a fixed duration (e.g., one hour). During this time, users are allowed to browse around the site and use various features. After the clock runs out, the session reverts to an unauthenticated state, requiring users to prove their identity once again.

  • Collect a 2FA code

Adding context

The root cause of these problems is lack of context about the action being approved: the user believes that providing a 2FA code or pressing a button will lead to one outcome while the adversary has carefully altered the setup to trigger something else entirely. What is required is an out-of-band channelto verify the intended transaction, independent of the original device where it is initiated.

  • Several Bitcoin hardware wallets have a display for confirming the destination addresses on transactions. Even if local malware running on the PC sends a different Bitcoin transaction for signing — as malware in the wild was discovered to be doing by manipulating the clipboard — the user has an opportunity to detect this substitution because the display cannot be manipulated.
  • A more mainstream example can be found in NFC payments using a smart-phone. While standard credit card payments (even with chip cards) involve blindly trusting the point-of-sale terminal to charge the expected amount, mobile wallets can first display the amount requested and obtain confirmation from the consumer before proceeding with the payment.

Introducing Authy Push Notifications

Luckily esoteric hardware is not required to get the benefits of out-of-band authentication. With the right application installed, the ubiquitous smart-phone can function as the independent verification channel. Authy, used by Gemini, is an example of such an app. When customers attempt to withdraw cryptocurrency from their Gemini account, they will receive an approval request on their mobile Authy app containing transaction details:

Roll-out plans

At this time, for customers who are already using the Authy mobile app, Gemini will require push notification approval for all crypto-currency withdrawals — no action is required to opt-in to the additional level of security. Gemini strongly recommends all customers to use the Authy mobile app and cautions against relying on SMS for two-factor authentication.

Gemini

A next generation cryptocurrency exchange and custodian that allows customers to buy, sell, and store digital assets. https://gemini.com

Cem Paya

Written by

Cem Paya

Security professional, Googler, Manhattan refugee adjusting to Bay Area life, MSFT alumni. (Opinions expressed are my own; I do not speak for my employer.)

Gemini

Gemini

A next generation cryptocurrency exchange and custodian that allows customers to buy, sell, and store digital assets. https://gemini.com