Skip to main content

Push notifications

Push messages on your branded Access App provide a quick and convenient way to securely authenticate your customers.

Login using push notification

Push notifications overview

With push messages, passwordless authentication is fast and effortless. At each transaction, your users get a smooth, transparent authentication flow with near-immediate feedback.

We recommend push notifications as an authentication method if the following are true for your business:

  • You want a low-effort, smooth authentication experience for your users.
  • You want authentication to be as quick as possible.
  • You do not want to invest in major technical development.

Your users can register any mobile device that runs the branded Access App as an authenticator. When authenticating a transaction, a push message is sent from your application, which is delivered by Apple and Google services to the user device. Tapping the notification opens the branded Access App, where the user can confirm the transaction using a PIN or biometrics.

Number matching

To add an extra layer of security to push authentication, you can enable the number matching feature through the REST API. The number matching feature adds an additional step to the push authentication flow. In this step, a random, two-digit code is displayed in the browser and the user must enter the matching code in the Access App. If they correctly match the codes, they can continue with approving the push authentication. Using the number matching feature can prevent accidentally approving a push message. For more information, see Number matching in the Access App documentation.

Push rate limiting

Push rate limiting is an optional feature that lets you set a limit to the number of push notifications that can be sent to user devices within 24 hours. Enabling this feature can help prevent push bombing attacks against user authenticators. If the limit is reached, the user and the affected authenticators become temporarily blocked, and thus cannot perform push authentication operations. You can manually unblock a user or a authenticator on the Management Console.

The default rate limit within 24 hours is 10. You can request custom a configuration as well.

caution

Do not expose your push rate limit details and configurations to your users. Exposing this information might pose a security risk.

Some information related to push rate limiting is available through HTTP responses. For more information, see the Approval endpoint documentation.

To enable the push rate limiting feature on your instance, contact the Support Team.

Registration and authentication flow

To get started, you need the following information available:

  • Instance ID
  • Access Key

For more information on the instance ID and the Access Key, see the API documentation.

To implement and use push notifications, see the instructions on the following pages:

  1. Register a mobile app
  2. Authenticate with push notifications

Push authentication relies on the settings and capabilities of the user device. In most cases, default device settings allow the messages to arrive to the Access App without issues. If you experience that push messages do not arrive to a registered authenticator, see the Troubleshooting Guide.

Read more about push notifications in the Push messages section of the Access App documentation.

You can format these messages with a few HTML tags. Read more about them in the Transaction confirmation section of the Access App documentation.