Skip to content

Add Passwordless login with Push Notifications

Push notifications enable a secure and seamless passwordless authentication mechanism by allowing users to verify their identity with a simple tap on their registered mobile device. Instead of relying on traditional passwords or one-time passcodes, authentication requests are securely delivered via push notifications, ensuring real-time, user-friendly login.

This method enhances security by reducing the risk of phishing and credential-based attacks while offering a frictionless login experience. Users can authenticate from any trusted device with internet access, eliminating the need to remember or enter passwords.

To configure push notifications as a passwordless authentication mechanism in WSO2 Identity Server, follow the instructions below.

Prerequisites

Set up Push Notifications

WSO2 Identity Server has some default settings for Push Notifications, which are sufficient for most cases. If required, you can change the default settings, as explained below.

To update the default Push Notification settings:

  1. On the WSO2 Identity Server Console, go to Connections and select Push Notification.
  2. Update the following parameters in the Settings tab:

    Setup Push Notifications in WSO2 Identity Server

    Field Description
    Enable number Challenge When enabled, users must confirm the number displayed in the application on their push authentication device to complete the sign in.
    Enable push notification device progressive enrollment When enabled, users may enroll their devices for push authentication at the moment they log in to the application.
    Push notification resend interval Specifies the time interval between the resend attempts. Also, the polling to identify user's response for the push notification will be ended once the timer is completed.
    Allowed push notification resend attempts The number of allowed push notification resend attempts. Once exceeded, the user will not be allowed to send any push notifications.

  3. Once you update the Push Notification settings, click Update.

Configuring Push Providers

To send push notifications from WSO2 Identity Server, you need to configure a Push Provider. WSO2 Identity Server supports Firebase Cloud Messaging (FCM) to send push notifications. With FCM, you can send push notifications to multiple platforms, including Android, iOS, and the web.

Note

Firebase cloud messaging has the capability to send push notification to iOS devices through Apple Push Notification Service (APNs). However, you need to configure APNs separately to send push notifications to iOS devices. For more information, click here.

Follow the below steps to configure FCM as your Push Provider:

  1. On the WSO2 Identity Server Console, go to Notification Channels and select Push Providers.

    Notification channels page

  2. Upload the service-account.json file that you downloaded from Firebase when you created your Firebase project.

    Configure Firebase

  3. Click Update to save your changes.

    Update Push Provider

Enable push notifications login for an app

Follow the steps given below to enable Push Notification login for your application.

  1. On the WSO2 Identity Server Console, go to Applications.

  2. Select the application to which you wish to add Push Notification.

  3. Go to the Login Flow tab of the application and add Push Notification from your preferred editor:

    1. Click + to add a second step to the login flow.

    2. Click Add Sign In Option, select Push Notification and click Add.

    3. Click Confirm to add login with push notifications to the sign-in flow.

      Configuring push notification login in WSO2 Identity Server

  4. Click Update to save your changes.

Enable push notification device progressive enrollment

This feature allows users to enroll their push notification devices seamlessly during the usual login flow, offering a blend of convenience and security. Follow the steps given below to enable Push Notification Devices progressive enrollment for your application.

  1. On the WSO2 Identity Server Console, go to Connections.

  2. Select the Push Notification connection.

  3. Go to the Settings tab of the connection.

  4. Enable the option for Enable push notification device progressive enrollment by checking its checkbox.

    Enable push notification device progressive enrollment in WSO2 Identity Server

  5. Click Update to save your changes.

  6. Add the push notification device progressive enrollment adaptive script to the login flow of the application.

Note

Push notification device progressive enrollment can only be configured at the organizational level and cannot be modified at the application level.

Try out Push Notification passwordless login flow with a user already enrolled with a device

In this section, we will guide you through the steps to authenticate using Push Notification passwordless login with a user who has already enrolled a push notification device.

  1. Access the application URL.

  2. Click Login to access the WSO2 Identity Server login page.

  3. On the login page, enter your username and click Continue.

    Sign In with Push Notification in WSO2 Identity Server

    This action redirects you to the Push Notification Wait page.

    Push Notification Wait page

  4. You will receive a push notification on your registered device. Approve the authentication request from the registered device. Below shown page will be displayed and will be polling for the user's response.

  5. Once you approve the authentication request, you will be successfully logged in to the application.

Try out Push Notification passwordless login flow with a user not enrolled with a device

In this section, we will guide you through the steps to authenticate using Push Notification passwordless login with a user who has not enrolled a push notification device when progressive enrollment is enabled.

  1. Access the application URL.

  2. Click Login to access the WSO2 Identity Server login page.

  3. On the login page, enter your username and click Continue.

  4. Since you have not enrolled a push notification device, you will be shown the following page to get your consent to enroll a push notification device. Click on Register to enroll a push notification device.

    Push Notification Device Enrollment Consent

  5. Since this authentication flow has not authenticated the user yet, you will be prompted to enter the password of the user account. This is to ensure that the user is the legitimate owner of the account.

    Push Notification Password Verification

  6. Click on Sign In to proceed.

  7. If authentication is successful, you will be shown the following page to scan the QR code using your Push Authenticator App to enroll your device. Once the device is enrolled successfully, check the checkbox and click Continue to proceed with the authentication.

    Push Notification Device Enrollment

  8. You will receive a push notification on your registered device. Approve the authentication request from the registered device.

  9. Once you approve the authentication request, you will be successfully logged in to the application.