MFA: Push Authentication

The user must provide credentials to enable AM to locate the user in the identity store and determine if they have a registered mobile device.

AM prompts the user to register a mobile device if they have not done so already. Registering a device associates metadata about the device essential for enabling push notifications with the user's profile in the identity store.

For more information, see Managing Devices for MFA.

Once the details of the registered device are obtained, AM creates a push message specific to the registered device. The message has a unique ID, which AM stores in anticipation of a response from the registered device.

A pending record using the same message ID is also written to the CTS store, providing redundancy should an individual server go offline during the authentication process.

AM sends the push message to the registered device.

AM uses cloud-based push notification services to deliver the messages to the devices. Depending on the registered device, AM uses either Apple Push Notification Services (APNS) or Google Cloud Messaging (GCM) to deliver the push notification.

AM begins to poll the CTS for an accepted response from the registered device.

The user responds to the notification on the registered device, which will open the ForgeRock Authenticator app. In the ForgeRock Authenticator app, the user approves the authentication request with either a swipe, or by using a fingerprint or face recognition on supported hardware.

For more information, see "Testing Push Authentication".

The app returns the response to the AM site.

AM verifies the message is from the correct registered phone and has not been tampered with, and marks the pending record as accepted if valid.

AM detects the accepted record and redirects the user to their profile page, completing the authentication.