Usability and Security Analysis of the Compare-and-Confirm Method in Mobile Push-Based Two-Factor Authentication

Push-based two-factor authentication (2FA) methods, such as the "Just-Confirm" approach, are popular due to their user-friendly design, requiring users to simply approve or deny a push notification on their mobile device. However, these methods are vulnerable to "concurrency attacks," where an attacker attempts to log in immediately after the legitimate user, causing multiple push notifications that may lead to users inadvertently approving fraudulent access. This vulnerability arises because the login notifications are not uniquely bound to individual login attempts. To address this issue, Push-Compare-and-Confirm 2FA method enhances security by associating each login notification with a unique code displayed on both the authentication terminal and the push notification. Users are required to match these codes before confirming access, thereby binding the notification to a specific login attempt. Recognizing the ubiquity of mobile devices in daily life, we conducted a comprehensive user study with 65 participants to evaluate the usability and security of Push-Compare-and-Confirm. The study considered two scenarios: one where the user's second-factor device (phone) is physically separate from the authentication terminal (e.g., logging in on a PC and confirming on the phone), and another where the phone serves as both the authentication terminal and the second-factor device. Participants completed 24 login trials, including both benign and attack scenarios, with varying code lengths (four characters and six characters). Our results indicate that while Push-Compare-and-Confirm maintains high usability in benign scenarios, with True Positive Rates (TPR) exceeding 95%, it presents significant challenges in attack detection. Participants correctly identified only about 50% of fraudulent login attempts, indicating a substantial vulnerability remains. These findings suggest that although Push-Compare-and-Confirm enhances security over standard push-based 2FA methods, additional measures-such as more intuitive interface designs, clearer visual cues, and user education on the importance of code verification-are necessary to improve attack detection rates without compromising usability.