--- title: Push authentication journeys description: Configure authentication journeys for passwordless authentication and to receive push notifications. component: pingoneaic page_id: pingoneaic:am-authentication:push-authentication-journeys canonical_url: https://docs.pingidentity.com/pingoneaic/am-authentication/push-authentication-journeys.html keywords: ["Authentication", "Multi-factor Authentication (MFA)", "Journeys", "Nodes & Trees"] page_aliases: ["authentication-guide:authn-mfa-trees-push.adoc am-authentication:authn-mfa-trees-push.adoc"] section_ids: auth-mfa-push-fr-auth-service: Configure the ForgeRock Authenticator (Push) service auth-mfa-push-notification-service: Configure the Push Notification service proc-authn-mfa-tree-push: Create a push authentication journey proc-authn-mfa-tree-push-passwordless: Create a passwordless authentication journey --- # Push authentication journeys Configure authentication journeys for passwordless authentication and to receive push notifications. When configured for passwordless authentication, the authentication flow requires the user to enter their user ID, but not their password. A push notification is then sent to their registered device to complete authentication with the ForgeRock Authenticator app. Before implementing passwordless push authentication, consider the [Limitations of passwordless push authentication](mfa-push-passwordless-limitations.html). ## Configure the ForgeRock Authenticator (Push) service Configure the ForgeRock Authenticator (Push) service for the realm where you create the journey. This service specifies the user profile attribute that stores registered device metadata. 1. Under Native Consoles > Access Management > Realms > *Realm Name*, click Services > [icon: plus, set=fa]Add a Service. 2. Select ForgeRock Authenticator (Push) Service in the service type drop-down list, and create the new service configuration. 3. Accept the default configuration unless you must encrypt the device metadata in user profiles: * Profile Storage Attribute `pushDeviceProfiles` (default) * Device Profile Encryption Scheme If you choose an encryption scheme, also edit the settings to access the keys. For details, read [Use ESVs for signing and encryption keys](../tenants/esvs-signing-encryption.html). Default: `No encryption of device settings.` * ForgeRock Authenticator (Push) Device Skippable Attribute Name `push2faEnabled` (default) For details, read the reference documentation, [ForgeRock Authenticator (Push) Service](../am-reference/services-configuration.html#realm-authenticatorpushservice). ## Configure the Push Notification service Under Native Consoles > Access Management, configure the Push Notification service for the realm. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Advanced Identity Cloud uses an external AWS service to send push notifications. Its configuration requires access keys and other metadata. As a Ping Identity customer, you have streamlined access to the required metadata:Before you start, log in to [Backstage](https://backstage.pingidentity.com), then follow the instructions in [How To Configure Service Credentials (Push Auth, Docker) in Backstage](https://backstage.pingidentity.com/knowledge/backstagehelp/article/a92326771).Download the AWS credential data in JSON format and refer to that as you configure the service. | 1. Under Native Consoles > Access Management > Realms > *Realm Name*, click Services > [icon: plus, set=fa]Add a Service. 2. Select Push Notification Service in the service type drop-down list. 3. Update the following fields with the data you generated on Backstage, then create the new service configuration: * SNS Access Key ID The generated Key ID; the `"accessKeyId"` in the JSON * SNS Access Key Secret The generated Secret; the `"accessKeySecret"` in the JSON * SNS Endpoint for APNS The generated APNS; the `"APNS"` in the JSON * SNS Endpoint for GCM The generated GCM; the `"GCM"` in the JSON You can also store the Access Key Secret in a secret store. Learn more in the [Push Notification Service](../am-reference/services-configuration.html#realm-pushnotification). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you update the AWS credential data in your Push Notification Service, you must [re-register all end user devices](authn-mfa-reset-devices.html) to obtain the new settings. Devices registered with the old AWS data will encounter authorization errors if they're not re-registered. | ## Create a push authentication journey The procedure assumes the following: * Users provide user IDs and passwords as the first step of multi-factor authentication (MFA). * Advanced Identity Cloud sends the push notification to the device as an additional factor to complete authentication. * You have prepared the prerequisite services, described in [Configure the ForgeRock Authenticator (Push) service](#auth-mfa-push-fr-auth-service) and [Configure the Push Notification service](#auth-mfa-push-notification-service). 1. In the Advanced Identity Cloud admin console, create a custom journey for push notification. Learn more in [Custom journeys](../journeys/journeys.html#custom-journey). 2. Add the following nodes to your journey: * [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) * [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html) * [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html) * [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html) * [Device Profile Collector node](https://docs.pingidentity.com/auth-node-ref/latest/device-profile-collector.html) * [Push Sender node](https://docs.pingidentity.com/auth-node-ref/latest/push-sender.html) * [Push Wait node](https://docs.pingidentity.com/auth-node-ref/latest/push-wait.html) * [Push Result Verifier node](https://docs.pingidentity.com/auth-node-ref/latest/push-result-verifier.html) * [Recovery Code Collector Decision node](https://docs.pingidentity.com/auth-node-ref/latest/recovery-code-collector-decision.html) * [Retry Limit Decision node](https://docs.pingidentity.com/auth-node-ref/latest/retry-limit-decision.html) * [MFA Registration Options node](https://docs.pingidentity.com/auth-node-ref/latest/mfa-registration-options.html) * [Push Registration node](https://docs.pingidentity.com/auth-node-ref/latest/push-registration.html) * [Recovery Code Display node](https://docs.pingidentity.com/auth-node-ref/latest/recovery-code-display.html) * [Get Authenticator App node](https://docs.pingidentity.com/auth-node-ref/latest/get-authenticator-app.html) * [Opt-out Multi-Factor Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/opt-out-multi-factor.html) 3. Connect the nodes as demonstrated in the following figure: ![Example push authentication journey](_images/push-nodes-example.png)Figure 1. Example Push Authentication Journey > **Collapse: Node connections** > > **List of node connections** > > | Source node | Outcome path | Target node | > | ------------------------------------------------------------- | -------------- | ----------------------------------- | > | Page Node containing:- Platform Username > > - Platform Password | → | Data Store Decision | > | Data Store Decision | True | Device Profile Collector | > | | False | Failure | > | Device Profile Collector | → | Push Sender | > | Push Sender | Sent | Push Wait | > | | Not Registered | MFA Registration Options | > | | Skipped | Success | > | Push Wait | Done | Push Result Verifier | > | | Exit | Recovery Code Collector Decision | > | Push Result Verifier | Success | Success | > | | Failure | Failure | > | | Expired | Push Sender | > | | Waiting | Push Wait | > | MFA Registration Options | Register | Push Registration | > | | Get App | Get Authenticator App | > | | Skip | Success | > | | Opt-out | Opt-out Multi-Factor Authentication | > | Recovery Code Collector Decision | True | Success | > | | False | Retry Limit Decision | > | Push Registration | Success | Recovery Code Display Node | > | | Failure | Failure | > | | Time Out | MFA Registration Options | > | Get Authenticator App | → | MFA Registration Options | > | Opt-out Multi-Factor Authentication | → | Success | > | Retry Limit Decision | Retry | Recovery Code Collector Decision | > | | Reject | Failure | > | Recovery Code Display Node | → | Push Sender | 4. Save your changes. 5. Test your authentication journey as follows: 1. Copy and paste the Preview URL into a browser in incognito mode. A login screen prompting you to enter your user ID and password appears. 2. Verify that you can use an authenticator app to perform MFA. If the authentication journey is correctly configured, authentication is successful and Advanced Identity Cloud displays the user profile page. Learn more in [Test push authentication](mfa-authenticating-push.html). ## Create a passwordless authentication journey The procedure assumes the following: * Users provide only their user IDs as the first step of MFA. * Users have pre-registered a device for push authentication. * Advanced Identity Cloud sends the push notification to the device as an additional factor to complete authentication, without needing the user's password. * You have prepared the prerequisite services, described in [Configure the ForgeRock Authenticator (Push) service](#auth-mfa-push-fr-auth-service) and [Configure the Push Notification service](#auth-mfa-push-notification-service). 1. In the Advanced Identity Cloud admin console, create a custom journey for push notification. Learn more in [Custom journeys](../journeys/journeys.html#custom-journey). 2. Add the following nodes to your journey: * [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) * [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html) * [Push Sender node](https://docs.pingidentity.com/auth-node-ref/latest/push-sender.html) * [Push Result Verifier node](https://docs.pingidentity.com/auth-node-ref/latest/push-result-verifier.html) * [Polling Wait node](https://docs.pingidentity.com/auth-node-ref/latest/polling-wait.html) 3. Connect the nodes as demonstrated in the following figure: ![An authentication journey setup for passwordless push authentication.](_images/passwordless-auth-tree-platform.png)Figure 2. Passwordless Push Authentication Example 4. Save your changes. 5. Test your authentication journey as follows: 1. Copy and paste the Preview URL into a browser in incognito mode. A login screen appears, prompting you to enter your user ID. 2. Verify that you can use an authenticator app to perform MFA. If the authentication journey is correctly configured, authentication is successful and Advanced Identity Cloud displays the user profile page without the user entering their password. Learn more in [Test push authentication](mfa-authenticating-push.html).