MFA: Authenticate using push notification
You can use push notifications as part of the authentication process.
To receive push notifications when authenticating, end users must register an Android or iOS device with Identity Cloud. The registered device can then be used as an additional factor when authenticating. Identity Cloud can send the device a push notification, which can be accepted by the ForgeRock Authenticator app. In the app, the user can allow or deny the request that generated the push notification and return the response to Identity Cloud.
The following steps occur as a user completes a push notification journey:
The user provides credentials to let Identity Cloud locate the user profile and determine if they have a registered mobile device.
Identity Cloud prompts the user to register a mobile device if they have not done so already.
The user registers their device through the ForgeRock Authenticator app. The app supports a variety of methods to respond to push notifications from tapping a button to biometrics if the device supports them.
Registering a device stores device metadata in the user profile that is required for push notifications. Identity Cloud uses the configured ForgeRock Authenticator (Push) service, which supports encrypting the metadata.
For more information, refer to Manage devices for MFA.
When the user has a registered device, Identity Cloud creates a push message specific to the device.
The message has a unique ID that Identity Cloud stores while waiting for the response.
Identity Cloud writes a pending record with the same message ID to the CTS store for redundancy should an individual server go offline during the authentication process.
Identity Cloud sends the push message to the registered device, using the configured push notification service.
Depending on the registered device, Identity Cloud uses either Apple Push Notification Services (APNS) or Google Cloud Messaging (GCM) to deliver the message.
Identity Cloud begins to poll the CTS for an accepted response from the registered device.
The user responds to the notification through the ForgeRock Authenticator app on the device, for example, approving or rejecting the notification.
The app responds to the push notification message with the user’s choice.
Identity Cloud verifies the message is from the correct registered device and has not been tampered with, and marks the pending record as accepted if valid.
Identity Cloud detects the accepted record and redirects the user to their profile page, completing the authentication.
The following table summarizes the tasks to perform to implement push authentication in your environment:
If you are planning to implement passwordless push authentication, see also Limitations of passwordless push authentication.
Test push authentication
After configuring the ForgeRock Authenticator (Push) service, the push notification service, and a push authentication journey, download the ForgeRock Authenticator app and test your configuration.