I'm trying to understand the difference between biometrics triggered by a push notification (most used) vs using FIDO2 in a native mobile app. This refers to Multi Factor authentication. What's the difference in terms of security and implementation?
Been trying to find information, diagrams, flow charts etc. but have come up empty with either.
Both use cases can be implemented with FIDO2 under the hood. A private key credential is stored on the phone, gated by the phone's lock mechanism (biometrics, PIN), and used to sign a challenge.
The difference is how and where the authentication happens, and what level of security is required or desired. We like to differentiate between "out-of-band" and "on-device" authentication.
Out-of-band (push): The user wants to authenticate somewhere else, e.g. in a browser on a desktop PC, and the (FIDO2) credential on the phone is used through a mobile app as an additional external authentication factor.
On-device: The user wants to sign in to the app (or website) on the same device that also stores the (FIDO2) credential.
The main difference here is that on-device offers effective protection against phishing/proxy and timing attacks. That is because the credential is bound to an origin (in your case the app's package name) and can only be accessed from there. This becomes much more relevant when authenticating on websites, but FIDO2 allows the same credentials to be used in apps and on websites (provided both are controlled by the same party and set as the valid origins for the credentials).
Out-of-band authentication cannot ensure that you are trying to sign in on the legitimate website (see e.g. https://github.com/kgretzky/evilginx2), nor can it make sure that it is actually you that triggered the push notification.
For those reasons, we (hanko.io) decided to drop support for out-of-band completely and focus on on-device authentication with FIDO2 and passkeys through the WebAuthn API.