Limitations when using passwordless push authentication
When authenticating to a passwordless push authentication journey, the user enters their user ID, but not their password. AM sends a push notification to their device to complete the authentication.
Be aware of the following limitations when you implement passwordless push authentication:
-
Unsolicited push messages could be sent to a user’s registered device by anyone who knew or was able to guess their user ID.
-
If a malicious user attempted to authenticate by using push at the same time as a legitimate user, the legitimate user might unintentionally approve the malicious attempt. This is because push notifications only contain the username and issuer in the text, and it is not easy to determine which notification relates to which authentication attempt.
Consider using push notifications as part of MFA, and not on their own.