Access Management 7.3.1

MFA: Push authentication

You can use push notifications as part of the authentication process in AM.

To receive push notifications when authenticating, end users must register an Android or iOS device with AM. The registered device can then be used as an additional factor when authenticating to AM. AM can send the device a push notification, which can be accepted by the ForgeRock Authenticator app. In the app, the user can allow or deny the request that generated the push notification and return the response to AM.

About push

An example of the interaction between the ForgeRock Authenticator (Push) authentication module, AM services, and the ForgeRock Authenticator.
Figure 1. Overview of Push Authentication

The following steps occur as a user completes a push notification journey:

  1. The user provides credentials to enable AM to locate the user profile and determine if they have a registered mobile device.

  2. AM prompts the user to register a mobile device if they have not done so already.

    The user registers their device through the ForgeRock Authenticator application. The application supports a variety of methods to respond to push notifications from tapping a button to biometrics if the device supports them.

    Registering a device stores device metadata in the user profile that is required for push notifications. AM uses the configured ForgeRock Authenticator (Push) service, which supports encrypting the metadata.

    For more information, refer to Manage devices for MFA.

  3. Once the user has a registered device, AM creates a push message specific to the device.

    The message has a unique ID that AM stores while waiting for the response.

    AM writes a pending record with the same message ID to the CTS store for redundancy should an individual server go offline during the authentication process.

  4. AM sends the push message to the registered device.

    AM delivers the message through the configured push notification service.

    Depending on the registered device, AM uses either Apple Push Notification Services (APNS) or Google Cloud Messaging (GCM) to deliver the message.

    AM begins to poll the CTS for an accepted response from the registered device.

  5. The user responds to the notification through the ForgeRock Authenticator application on the device, for example, approving or rejecting the notification.

    The application responds to the push notification message with the user’s choice.

  6. AM verifies the message is from the correct registered device and has not been tampered with, and marks the pending record as accepted if valid.

    AM detects the accepted record and redirects the user to their profile page, completing the authentication.

Implement push

The following table summarizes the tasks to perform to implement push authentication in your environment:

Task Resources

Configure authentication ForgeRock recommends that you implement authentication trees.

If you are planning to implement passwordless push authentication, also refer to Limitations when using passwordless push authentication.

Test push authentication

After configuring AM, download the ForgeRock Authenticator application and test your configuration.