Implement user challenge #4
Description
What to change?
Implement a 2nd step after the user decides to accept the request. This step includes a challenge that shows multiple numbers, that are included within the notification. If the request doesn't provide this challenges, it can be skipped. The application sending the request, displays the correct number which the user has to click. The acceptance with the number will be sent back to the server.
The Problem
A user may accept a request by accident e.g. when the finger slips on the wrong button or the user doesn't pay enough attention.
Also a possible attack vector might be spamming request to a user. This attack increases the likeliness of such accident or even cause the user to accept it by annoyance. This can be partially handled by rate-limiting within eduMFA server, but an in-app challenge challenge will solve this completly.
Mockup
TBD