Using Push Notifications for Passwordless Authentication and Easy MFA

There is often a trade-off between the convenience of an authentication system and the strength of security around it. Oftentimes, the stronger the security, the more tedious it can be for the end user. But now that (almost) everyone has a smartphone, can we somehow use this magical device as an authenticator?

The mid-year release of the ForgeRock Identity Platform introduced some exciting new Access Management technology, namely Push Authentication. When a user wants to login, they simply identify themselves (e.g. username or email) and the system sends them a Push Notification message asking if they want to authorize the login. This message is fielded by the ForgeRock Authenticator App (iPhone or Android) and the user can use swipe or TouchId to agree to the authentication attempt, or Cancel to deny it. Cool stuff, let’s check it out…

We’ll look at:

  • The User experience of logging in using Push Auth
  • The Architecture underpinning this
  • The Admin experience of setting this up
  • Customizing the experience

User Experience

Before you can use Push you’ll need to register your phone to your account so you’ll typically login in the traditional way…

 

 

…before being presented with a QR code…

 


Using the ForgeRock Authenticator app on your phone you can scan this to create an account for that IDP…

 

Now when the user wants to login, they can simply enter their username…

 

…and their phone buzzes and displays something like this…

 

 

The user decides if this is a login attempt by them and, if so, uses TouchId (or swipe if TouchId not present or enabled) to get logged in.

The Architecture

The players in this dance are:
  1. The user on their primary device (say laptop, but could be phone too, see later);
  2. The ForgeRock AM server;
  3. The Push Service in the Cloud;
  4. The phone.

 

How to set it up (The administrator’s experience)

To set this up we’ll need:
  • ForgeRock Access Management (AM) version 13.5;
  • We’ll create 2 new authentication module instances
    • ForgeRock Authenticator (Push) Registration – used to link phone to account;
    • ForgeRock Authenticator (Push) – used when logging in;
  • We’ll create a new realm-based Push Notification Service – this is how AM talks to the Cloud push service;

Authentication Modules and Chains

 

First, in the AM Admin Console, create the 2 new authentication modules (let’s call them Push-Reg and Push-Auth) and use the default values….

 

 

They will look something like this…

 

Now create 2 Authentication Chains, also called Push-Auth and Push-Reg.

For Push-Reg we’ll use a simple Datastore (username/password) module, to identify the user during registration, followed by the Push-Reg Authentication module…

 

and to keep things simple, lets just use the Push-Auth module in the Push-Auth chain…

 

So now we have 2 new chains…

 

At this point you can test these chains out by visiting
<deployment-url>/XUI/#login/&service=Push-Auth
where Push-Auth is the chain name.
But this won’t work yet because we need to tell AM how to send Push Notifications by creating the Push Notification Service.

 

Push Notification Service

The Admin Console has changed a bit in 13.5 in the Services area and is now much easier to configure. First, create a New Service of type  Push Notification Service…

 

 

Once created, we want to configure this. This is slightly tricky but not too hard for people who have read this far ;-)

 

At the time of writing, ForgeRock use AWS Simple Notification Service for sending Push Notifications to Android and Apple phones. And ForgeRock have provided a convenient way for customers to generate credentials to configure this Service.

 

 

Go to Backstage, login and navigate to Projects. If you haven’t registered a Project before, create one and also an Environment too within the Project. Then simply press the big button marked “Set Up Push Auth Credentials”

 

This will generate some credentials which you can use to populate the Push Notification Service on your AM deployment.

 

 

Providing your phone can reach your AM server, your users should now be able to register and login using Push Notifications.

Customizing the IDPs

Say you now want to customize the IDP to have your corporate logo and colorscheme.

 


Return to the Push-Reg Auth Module and you’ll see that you can configure Issuer Name, background color and Logo. And in the Push-Auth Module you can tailor the message that is presented to the user. This all means that on your phone you can deliver an experience like this….

 

Summary

This was a simple “getting you going” blog entry.

In internet facing deployments you may want to use more of the capability of AM’s Authentication Chains to use Push as a super-easy 2FA offering, or if you want to deliver a Passwordless experience, put more intelligence around detecting the identity of the user attempting to login to prevent unsolicited Push messages being sent to a user.

This blog post by the Access Management product manager was first published @ thefatblokesings.blogspot.com, included here with permission.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?