Integrating with Push MFA auth journeys
PingOne Advanced Identity Cloud PingAM Android iOS
Push authentication uses standard mobile push notifications as an extra factor in the sign-in flow. When a user tries to log in, the server sends a secure, time-limited notification to their registered device.
An app built using the Push module on that device displays the request and lets the user approve or deny it, often with additional challenges such as number matching or biometrics.
This approach is useful because it strengthens authentication while keeping friction low. The server can tie each push to a specific device, user, and transaction, and can embed context such as location or client details to help users spot suspicious activity.
Introducing Push notifications
The following steps occur as a user completes a push notification journey:
-
The user opens the client application, or attempts to access a protected resource.
-
The app starts a journey on the server, and the user enters their credentials.
-
The server gets the details of the user’s registered push-enabled device, including the unique device token.
-
The server makes a request to the AWS Push Notification Service to contact the device, passing in the device token, and other metadata about the device.
-
AWS uses either Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) to deliver the message, depending on the operating system of the registered device.
-
The Push module in the client application handles the incoming notification and requests a response from the user.
-
The user accepts or rejects the notification, and the client sends the response back to the server.
-
The server checks the response from the user, and that it came from the correct device.
-
The server continues the journey.