Push notifications
Push messages on your branded Access App provide a quick and convenient way to securely authenticate your customers.
Push notifications overview
With push messages, passwordless authentication is fast and effortless. At each transaction, your users get a smooth, transparent authentication flow with near-immediate feedback.
We recommend push notifications as an authentication method if the following are true for your business:
- You want a low-effort, smooth authentication experience for your users.
- You want authentication to be as quick as possible.
- You do not want to invest in major technical development.
Your users can register any mobile device that runs the branded Access App as an authenticator. When authenticating a transaction, a push message is sent from your application, which is delivered by Apple and Google services to the user device. Tapping the notification opens the branded Access App, where the user can confirm the transaction using a PIN or biometrics.
The use of push notifications on mobile devices is restricted in some locations. If you set push as the primary authentication method on your instance, we recommend that you configure a fallback method such as QR codes, to make sure that your users can always complete transactions.
Fetch ongoing operations
All generated push messages can also be fetched directly from a user device. This ensures that if there is intermittent or network lag, or if the push service is unavailable, users can always be provided with the request they generated. For more information, see the relevant sections in the documentation for Nevis Mobile Authentication SDK and nevisFIDO.
Number matching
To add an extra layer of security to push authentication, you can enable the number matching feature through the REST API. The number matching feature adds an additional step to the push authentication flow. In this step, a random, two-digit code is displayed in the browser and the user must enter the matching code in the Access App. If they correctly match the codes, they can continue with approving the push authentication. Using the number matching feature can prevent accidentally approving a push message. For more information, see Number matching in the Access App documentation.
Push rate limiting
Push rate limiting is an optional feature that lets you set a limit to the number of push notifications that can be sent to user devices within 24 hours. Enabling this feature can help prevent push bombing attacks against user authenticators. If the limit is reached, the user and the affected authenticators become temporarily blocked, and thus cannot perform push authentication operations. You can manually unblock a user or a authenticator on the Management Console.
The default rate limit within 24 hours is 10. You can request custom a configuration as well.
Do not expose your push rate limit details and configurations to your users. Exposing this information might pose a security risk.
Some information related to push rate limiting is available through HTTP responses. For more information, see the Approval endpoint documentation.
To enable the push rate limiting feature on your instance, contact the Support Team.
Registration and authentication flow
To get started, you need the following information available:
- Instance ID
- Access Key
For more information on the instance ID and the Access Key, see the API documentation.
To implement and use push notifications, see the instructions on the following pages:
Push authentication relies on the settings and capabilities of the user device. In most cases, default device settings allow the messages to arrive to the Access App without issues. If you experience that push messages do not arrive to a registered authenticator, see the Troubleshooting Guide.
Read more about push notifications in the Push messages section of the Access App documentation.
You can format these messages with a few HTML tags. Read more about them in the Transaction confirmation section of the Access App documentation.