Push Authentication
What is Push Authentication?
Push AuthenticationAn MFA method in which the identity provider sends a sign-in request to a trusted mobile app, which the user approves or denies with a tap.
Push authentication replaces typed one-time codes with an out-of-band approval prompt delivered through a vendor app such as Microsoft Authenticator, Duo, or Okta Verify. After the user enters a password, the IdP sends a push notification describing the login attempt; the app uses an asymmetric key bound to the device to sign the response when the user taps Approve. This is more user-friendly than TOTP but is vulnerable to MFA-fatigue attacks, where attackers spam prompts hoping the user accepts one by mistake. Modern implementations add number matching, geolocation context, and risk signals, and increasingly defer to FIDO2/passkeys for phishing-resistant flows.
● Examples
- 01
Approving an Okta Verify push prompt when signing in to a corporate SaaS app.
- 02
Entering a displayed two-digit number in Microsoft Authenticator (number matching) to confirm a login.
● Frequently asked questions
What is Push Authentication?
An MFA method in which the identity provider sends a sign-in request to a trusted mobile app, which the user approves or denies with a tap. It belongs to the Identity & Access category of cybersecurity.
What does Push Authentication mean?
An MFA method in which the identity provider sends a sign-in request to a trusted mobile app, which the user approves or denies with a tap.
How do you defend against Push Authentication?
Defences for Push Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Push Authentication?
Common alternative names include: Push MFA, Push notification authentication.