Push Authentication
Push authentication lets users approve or deny login requests directly from their mobile device — no passwords, no one-time codes. When a login is attempted, LumoAuth sends a push notification to the user's enrolled device. The user reviews the request details and taps Approve or Deny.
How It Works
- The user enters their email on your login page
- LumoAuth sends a push notification to the user's enrolled device
- The user reviews the request (IP address, location, timestamp) and approves with biometrics or a PIN
- LumoAuth completes the login on the browser
If the user taps Deny, the login attempt is rejected and an audit event is recorded.
Enrolling a Device
Users enroll their mobile device from their account security settings.
As a User
- Open your account page at
/account/security - Find the Push Authentication section
- Click Enroll Device
- LumoAuth displays an activation code and QR code
- Open the LumoAuth Authenticator app on your phone
- Scan the QR code or enter the activation code manually
- Confirm enrollment — the device appears in your active devices list
Admin-Initiated Enrollment
Tenant admins can trigger an enrollment invitation for a specific user:
- Go to
/t/{tenantSlug}/portal/users - Open the user's profile
- Click Send Push Auth Activation
- LumoAuth emails the activation code to the user
Managing Enrolled Devices
Users can view and remove their enrolled devices from /account/security:
| Action | Description |
|---|---|
| View devices | See all enrolled devices with name, enrollment date, and last used |
| Remove device | Revoke a device immediately — future logins will not send a push to this device |
| Cancel enrollment | Cancel a pending enrollment before it is completed |
Enforcing Push Authentication
You can require push authentication for all users in your tenant:
- Go to
/t/{tenantSlug}/portal/settings/authentication - Enable Require Push Authentication
- Users without an enrolled device will be prompted to complete enrollment before they can sign in
Push authentication can coexist with TOTP or SMS-based MFA. When Require Push Authentication is enabled, it replaces the standard MFA code prompt with a push notification.
Enrollment Required Flow
When push authentication is required and a user has not yet enrolled, they are redirected to the enrollment page after login. They cannot access your application until they complete enrollment.
This flow ensures 100% adoption without requiring admin intervention for individual users.
Security Considerations
| Concern | Mitigation |
|---|---|
| Device compromise | Users can remove any enrolled device from their account settings; admins can revoke devices from the portal |
| Push notification phishing (MFA fatigue) | Requests include the source IP, browser, and location — users are encouraged to deny unexpected requests |
| Offline phone | If push delivery fails, the request times out; the user can fall back to other configured MFA methods |
| Lost device | Admins can reset push auth enrollment from the user management portal |
Admin: Reset Push Auth
If a user loses their device or is locked out:
- Go to
/t/{tenantSlug}/portal/users - Open the user
- Click Reset MFA — this removes all MFA methods including push auth enrollment
- The user can re-enroll during their next login