Push message
Push notifications are the most convenient way of delivering information from the backend system to the mobile client application. The backend uses the Google Firebase Cloud Messaging service to send push messages to the client.
Prerequisites
- The end user accepted to receive push notifications.
- The end user registered his Access App on the Nevis Mobile Authentication backend.
- On Android devices, the Google Play Services need to be available. The Google Play Services are preinstalled on most Android devices but may be missing on some vendor models like for example Huawei.
Push notifications cannot be used for the registration operation. This is because the push identifier is not known to the backend before the registration process is completed.
How it Works
The example use case in the above figure shows how push notifications work during an authentication operation. Other operations behave very similar, apart from who or what initiates the operation. The numbers in the figure correspond with the numbers of the description below.
- The end user starts a login.
- The Nevis Mobile Authentication Backend initiates an authentication, and sends a push message payload to a push provider.
- The push provider sends an encrypted push notification to the mobile device. The mobile application has to deal with the notification.
- The mobile application triggers the out-of-band authentication process with the SDK by providing the encrypted push notification.
- Once the mobile application has completed the out-of-band authentication process, the user is granted access to the protected endpoint, for example, a web application in a desktop browser.
Push notification content
The push notification content — specifically the dispatchInformation.notification.title — is what appears in the operating system notification drawer when a push message arrives. It serves only to inform the user that an action is required and to open the Access App.
The push notification does not carry the actual transaction or authentication details that the user sees inside the app. That content is provided separately through the FIDO UAF request and is delivered only after the app redeems the dispatched token.
The push notification field (notification.title) is not encrypted and is visible to the push notification infrastructure (Firebase Cloud Messaging). Do not include sensitive information in this field.
The push message data payload, which carries the dispatch token, redeem URL, and optional custom data, is end-to-end encrypted between nevisFIDO and the device.
For information on how to provide content that the user sees inside the app during approval, see Push notification content vs. transaction confirmation content.
Preventing push-fatigue attacks
If you want to prevent push fatigue attacks, we recommend using push messages in combination with the number matching feature.
For additional conceptual information, refer to the following chapters in the concept guide:
- Out-of-Band Message Transmission contains information regarding the message transmission concept.
- Out-of-Band Authentication contains information regarding the authentication scenario.
- Out-of-Band Transaction Confirmation contains information regarding the transaction confirmation scenario.
For additional technical information, visit the following chapters in the reference guide:
- FCM Dispatcher contains information of how to configure and use the push message dispatcher.
- Dispatch Token Service contains information regarding the HTTP API dispatch service.