Secondary Device Authentication: A Simple Step for Stronger Security

Introduction

With phishing attacks and credential theft on the rise, password-only authentication is no longer sufficient. Attackers often gain access through stolen credentials, making it critical to add another layer of verification. Secondary Device Authentication (SDA) mitigates this risk by requiring confirmation from a trusted second device before access is granted. 

In the September 2022 Uber breach, attackers used SDA-fatigue, bombarding a contractor with repeated push notifications and impersonating IT over WhatsApp until the user finally approved, granting access to internal systems.

Affected Systems / Scope

• Systems with user logins (e.g., web portals, email, VPN) 
• Cloud services (e.g., Google Workspace, Microsoft 365, GitHub) 
• Platforms using Single Sign-On (SSO) or Identity Providers (IdPs) like Okta, Duo, or Azure AD

What Is SDA?

SDA is a form of Multi-Factor Authentication (MFA) that verifies: 

• Something you know: your password 
• Something you have: a secondary, trusted device

Examples include: Google Prompt, Microsoft Authenticator, Apple “Approve on device”, TOTP codes or biometric approvals.

How It Works

• Enter username/password on the primary device 
• Receive a prompt or code on your secondary device 
• Approve access (tap, code, or biometrics) 
• Access is granted only after device confirmation

Best Practices

• Register more than one trusted device 
• Prefer authenticator apps over SMS 
• Never approve unexpected prompts 
• Enable SDA wherever possible

Keywords

• Primary: secondary device authentication, multi-factor authentication, MFA security
• Secondary: cybersecurity best practices, password security, phishing protection, identity verification, login security, authentication methods, account protection, two-factor authentication, credential theft prevention, secure access control, MFA fatigue attacks