There is often a trade-off between the convenience of an authentication system and the strength of security around it. Oftentimes, the stronger the security, the more tedious it can be for the end user. But now that (almost) everyone has a smartphone, can we somehow use this magical device as an authenticator?
The mid-year release of the ForgeRock Identity Platform introduced some exciting new Access Management technology, namely Push Authentication. When a user wants to login, they simply identify themselves (e.g. username or email) and the system sends them a Push Notification message asking if they want to authorize the login. This message is fielded by the ForgeRock Authenticator App (iPhone or Android) and the user can use swipe or TouchId to agree to the authentication attempt, or Cancel to deny it. Cool stuff, let’s check it out…
We’ll look at:
- The User experience of logging in using Push Auth
- The Architecture underpinning this
- The Admin experience of setting this up
- Customizing the experience
Using the ForgeRock Authenticator app on your phone you can scan this to create an account for that IDP…
- The user on their primary device (say laptop, but could be phone too, see later);
- The ForgeRock AM server;
- The Push Service in the Cloud;
- The phone.
- ForgeRock Access Management (AM) version 13.5;
- We’ll create 2 new authentication module instances
- ForgeRock Authenticator (Push) Registration – used to link phone to account;
- ForgeRock Authenticator (Push) – used when logging in;
- We’ll create a new realm-based Push Notification Service – this is how AM talks to the Cloud push service;
Authentication Modules and Chains
First, in the AM Admin Console, create the 2 new authentication modules (let’s call them Push-Reg and Push-Auth) and use the default values….
Push Notification Service
Customizing the IDPs
Say you now want to customize the IDP to have your corporate logo and colorscheme.
Return to the Push-Reg Auth Module and you’ll see that you can configure Issuer Name, background color and Logo. And in the Push-Auth Module you can tailor the message that is presented to the user. This all means that on your phone you can deliver an experience like this….
This was a simple “getting you going” blog entry.
In internet facing deployments you may want to use more of the capability of AM’s Authentication Chains to use Push as a super-easy 2FA offering, or if you want to deliver a Passwordless experience, put more intelligence around detecting the identity of the user attempting to login to prevent unsolicited Push messages being sent to a user.