Limitations of passwordless push authentication
When authenticating to a passwordless push authentication journey, the user enters their user ID, but not their password. PingOne Advanced Identity Cloud sends a push notification to their device to complete the authentication.
Be aware of the following limitations when you implement passwordless push authentication:
-
Unsolicited push messages can be sent to a user’s registered device by anyone who knows (or is able to guess) their user ID.
-
If a malicious user attempts to authenticate by using push at the same time as a legitimate user, the legitimate user might unintentionally approve the malicious attempt. This is because push notifications only contain the username and issuer in the text, and it’s not easy to determine which notification relates to which authentication attempt.
Consider using push notifications as part of MFA, and not on their own.