push notification for two factor authentication — variants

This topic contains 2 replies, has 3 voices, and was last updated by  giacobbej@mail.montclair.edu 10 months, 1 week ago.

  • Author
  • #21855

    Is it possible to implement a 2F authentication in the following manner, and which (open source, or otherwise) tools are recommended in this scenario?

    When trying to log-on to a website (e.g. running on IIS, or on Apache HTTP Server, or both), after entering the userID and password, a Push Notification is sent to the user. The user receives this Push Notification by e-mail, or SMS, or some other method, and the user clicks on the link received. That the user clicked on the link from a validated source (e.g. the user’s phone) is now accepted by the website as second factor authenticated, and allowed into the website, without any additional action from the user (i.e. instead of having to enter an OTP received via push notification, the user is validated and successfully logged in based on this mode of second factor). Which tools are best suited, keeping in mind that the majority of the applications may be using Active Directory for user authentication? Assume that it would be nice to set up a group policy for the mode by which the Push Notification is sent to the user – e.g. via e-mail for one group, via SMS for another, via a mobile app for the third group.

    • This topic was modified 10 months, 1 week ago by  arnyt.
     Andy Cory 

    The ForgeRock mobile app allows most of what you describe, coupled with out of the box authentication modules in OpenAM, suitably configured. OpenAM can use AD as an authentication data store.

    Push authentication, the ForgeRock app, connecting to AD are all covered (and easily found) in ForgeRock’s extensive documentation – that should cover most of your use-cases.



    We are in the early stages of a major ForgeRock IAMS implementation and are trying to wrap our heads around some of the functional differences between ForgeRock’s native 2fa features and DUO’s cloud service.

    One of the major differences that we’ve encountered so far (based on docs and research, not actual product testing on the ForgeRock side) is ForgeRock doesn’t seem to give the user a choice of how to do the 2nd factor at the time of authenticating. It is a per-user profile setting.

    Some examples to clarify.

    Let’s say the user has the following methods for doing the 2nd factor:

    1) Push notification to smart phone using app (DUO or ForgeRock Authenticator app)
    2) SMS/text of 6-digit code to user’s phone
    3) Email of 6-digit code to user’s personal email (ForgeRock feature, not a DUO feature)
    4) Voice call to user’s land line phone (DUO feature, not a ForgeRock feature)
    5) User enters one-time emergency code.

    In the DUO world, anytime a user needs to supply the 2nd factor they are presented with a DUO authentication page where they can select from #1, 2, 4, or 5 above. Depending on their situation at the time (i.e. cell phone dead, or left it at home) they can choose option 4 or 5

    As I understand it in the ForgeRock world, the options 1, 2, 3, are controlled by the user’s profile settings in OpenAM and there is no option to select a different method (aside from option 5) at the time of authentication. Adding in that functionality would be a custom selection form inserted somewhere in the authentication chain in OpenAM and then following whatever notification path the user selects.

    Does anyone have experience with creating a custom user-selection page for the method of providing the 2nd factor?



Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?