cornelinux
commented
4 years ago Thanks a lot for the feedback. There are different possible ways to protect the app or a token, either by a token dedicated PIN (which we can do with HOTP and TOTP tokens) or with the system credentials. In case with the Push token, the protection would look like this, that the Accept-Button would only be available after a PIN has been entered.
Currently there is no plan to add further protection. We first need to collect information and make up our mind.
In the meantime please consider the following: As the matter of 2FA you do not want to protect the Smartphone-APP itself, you want to protect an application, where the user is supposed to authenticate like RDP or VPN. And you can very well protect this with a password and the app. And in my opinion this is more secure, using these two independet factors than using only one smartphone-app to authenticate and try to protect this single app.
The PUSH token can only be secured by a user PIN at the moment. There are cases, where a user pin on the token is not possible. For example during a login request without any web form, for example on RDP or VPN connection.
Securing those PUSH tokens via the app itself would be appreciated. There could be a PIN setup up an entered on accepting the PUSH token or the PUSH token is accepted by a positive fingerprint.