Verify users by adding a secure “push” authentication method to your mobile apps.
A push authentication request displayed on a mobile device.
Push verification allows users to authenticate in a web browser by sending an authentication request to a mobile app.Push notifications are used to improve the UX by prompting users to open their app but they are not required for the method to work.
The authentication mechanism is based on public key cryptography where private keys are securely stored on the user’s mobile device and are used to sign messages which can be verified with the public key.The Mobile SDK is used in push verification for two key steps:
Enrolling a user for push verification by adding a credential in the mobile app. This step creates a new public/private key pair.
Responding to an authentication challenge in the mobile app by approving or denying it. This step uses the mobile device’s private key to sign a message which is verified on the server using the public key.
Enable push verification for your tenant and configure a webhook endpoint for sending push notifications to your app.
For more information on the payload which Authsignal sends to your webhook, refer to the webhook schema documentation for push.
This token will be used to authorize enrolling a new push authentication method on their mobile device.
The add:authenticators scope is required to enroll a new authentication factor for an existing user.
This scope should only be used when the user is in an already authenticated state.
For more information on using scopes safely refer to our documentation on authenticator binding.
In the browser, use our Web SDK to initiate a push challenge.
This will trigger a call to your webhook with the push event schema so that it can send the user a push notification.
Custom UI
Pre-built UI
Copy
Ask AI
// Set the token obtained from the track responseauthsignal.setToken(token);// Initiate the push challengeconst response = await authsignal.push.challenge();// Obtain a challenge ID to poll for the result in the next stepconst challengeId = response.data?.challengeId;
Then you can immediately start polling for the challenge result.
Copy
Ask AI
// Poll for the challenge resultconst { data, error } = await authsignal.push.verify({ challengeId });if (error || !data) { // Handle error} else if (!data.isConsumed) { // The challenge has not yet been consumed // Continue polling} else { // The challenge has been consumed // Stop polling and check if approved or rejected if (data.isVerified) { // Challenge has been approved // Obtain new token to send to backend to validate action const validationToken = data.token; } else { // Challenge has been rejected }}
Use the mobile SDK’s Get Challenge method to check if there is a pending challenge for the device.
Copy
Ask AI
let response = await authsignal.push.getChallenge()if let error = result.error { // The credential stored on the device is invalid} else if let challenge = result.data { // A pending challenge request is available // Present the user with a prompt to approve or deny the request let challengeId = challenge.challengeId} else { // No pending challenge request}
This check should be done when launching or foregrounding the app - either from a push notification or when opened manually - as well as when the app receives a push notification while it is already foregrounded.
If there is a pending challenge, present a dialog to allow the user to approve or reject the challenge.To approve or reject the challenge, use the mobile SDK’s Update Challenge method.
Once the challenge is approved, the polling request initiated in the web browser in step 2 will return a token that should be passed to your web browser app’s backend to validate the action in order to complete the authentication flow.
