Push Authentication
Push authentication lets users approve or deny login requests directly from their mobile device — no password, no one-time code. When a login is attempted, LumoAuth sends a push notification to the user's enrolled device. The user reviews the request details and taps Approve or Deny. A denial rejects the login and records an audit event.
Use push auth as a primary passwordless method or as an MFA factor.
Prerequisites
- The user must have enrolled a mobile device running the LumoAuth Authenticator app.
- Push authentication must be enabled in organization settings.
How It Works
- The user enters their email on your login page.
- LumoAuth sends a push notification to the user's enrolled device.
- The user reviews the request (IP address, location, timestamp) and approves with biometrics or a PIN.
- LumoAuth completes the login on the browser.
If the user taps Deny, the login is rejected and an audit event is recorded.
Enrolling a Device
Users enroll their mobile device from their account security settings.
As a User
- Open your account page at
/account/security. - Find the Push Authentication section.
- Click Enroll Device.
- LumoAuth displays an activation code and QR code.
- Open the LumoAuth Authenticator app on your phone.
- Scan the QR code or enter the activation code manually.
- Confirm enrollment — the device appears in your active devices list.
Admin-Initiated Enrollment
Organization admins can trigger an enrollment invitation for a specific user:
- Go to
/orgs/{orgId}/portal/users. - Open the user's profile.
- Click Send Push Auth Activation.
- LumoAuth emails the activation code to the user.
Managing Enrolled Devices
Users can view and remove enrolled devices from /account/security:
| Action | Description |
|---|---|
| View devices | See all enrolled devices with name, enrollment date, and last used time |
| Remove device | Revoke a device — future logins will not send a push to this device |
| Cancel enrollment | Cancel a pending enrollment before it is completed |
Enforcing Push Authentication
You can require push authentication for all users in your organization:
- Go to
/orgs/{orgId}/portal/settings/authentication. - Enable Require Push Authentication.
- Users without an enrolled device will be prompted to complete enrollment before they can sign in.
Push authentication can coexist with TOTP or SMS-based MFA. When Require Push Authentication is enabled, it replaces the standard MFA code prompt with a push notification.
Enrollment Required Flow
When push authentication is required and a user has not yet enrolled, they are redirected to the enrollment page after login. They cannot access your application until they complete enrollment. This ensures full adoption without requiring admin intervention for individual users.
Security Considerations
| Concern | Mitigation |
|---|---|
| Device compromise | Users can remove any enrolled device from their account settings; admins can revoke devices from the portal |
| Push notification phishing (MFA fatigue) | Requests include the source IP, browser, and location — users are encouraged to deny unexpected requests |
| Offline phone | If push delivery fails, the request times out; the user can fall back to other configured MFA methods |
| Lost device | Admins can reset push auth enrollment from the user management portal |
Admin: Reset Push Auth
If a user loses their device or is locked out:
- Go to
/orgs/{orgId}/portal/users. - Open the user.
- Click Reset MFA — this removes all MFA methods, including push auth enrollment.
- The user can re-enroll during their next login.