MFA: Push Authentication

You can use push notifications as part of the authentication process in AM.

To receive push notifications when authenticating, end users must register an Android or iOS device with AM. The registered device can then be used as an additional factor when authenticating to AM. AM can send the device a push notification, which can be accepted by the ForgeRock Authenticator app. In the app, the user can allow or deny the request that generated the push notification and return the response to AM.

An example of the interaction between the ForgeRock Authenticator (Push) authentication module, AM services, and the ForgeRock Authenticator.
Figure 1. Overview of Push Authentication

The following steps occur when AM receives an authentication request and is configured for MFA using push notifications:

  1. The user must provide credentials to enable AM to locate the user in the identity store and determine if they have a registered mobile device.

  2. AM prompts the user to register a mobile device if they have not done so already. Registering a device associates metadata about the device essential for enabling push notifications with the user’s profile in the identity store.

    For more information, see Managing Devices for MFA.

  3. Once the details of the registered device are obtained, AM creates a push message specific to the registered device. The message has a unique ID, which AM stores in anticipation of a response from the registered device.

    A pending record using the same message ID is also written to the CTS store, providing redundancy should an individual server go offline during the authentication process.

  4. AM sends the push message to the registered device.

    AM uses cloud-based push notification services to deliver the messages to the devices. Depending on the registered device, AM uses either Apple Push Notification Services (APNS) or Google Cloud Messaging (GCM) to deliver the push notification.

    AM begins to poll the CTS for an accepted response from the registered device.

  5. The user responds to the notification on the registered device, which will open the ForgeRock Authenticator app. In the ForgeRock Authenticator app, the user approves the authentication request with either a swipe, or by using a fingerprint or face recognition on supported hardware.

    For more information, see Testing Push Authentication.

    The app returns the response to the AM site.

  6. AM verifies the message is from the correct registered phone and has not been tampered with, and marks the pending record as accepted if valid.

    AM detects the accepted record and redirects the user to their profile page, completing the authentication.

The following table summarizes the tasks you need to perform to implement Push authentication in your environment:

Task Resources

Configure Authentication

If you are planning to implement passwordless push authentication, see also Limitations When Using Passwordless Push Authentication.

Test Push Authentication

After configuring AM, download the ForgeRock Authenticator app and test your configuration.