A notification is a message that displays outside the contextual UI to provide the user with critical reminders or other information from a particular app on the mobile devices. Users can tap the notifications to open the app or take a predefined action directly from the notification. Push notifications for in-house applications allow users in your organization to receive important notification messages on their compatible mobile devices.
How the Defender Push Notification Works
The pushnotification feature is supported and configurable on both Android (version 8 or later) and iOS (iOS 10 or later) devices. The following sections describe the key Admin and User actions for using push notifications.
NOTE:Push notifications will not be triggered during authentication in offline mode.
Admin
-
An admin programs the new Android or iOS tokens which have the Push Notification feature enabled by default. For more information about the wizard steps and options, see Defender Token Programming Wizard reference
-
The admin marks the relevant Defender security token policy to enable the push notification feature for users. For more information, see Managing Defender Security Policies..
User actions
-
From Defender 6.2 onwards, the pushnotification is implicitly triggered when user initiates the login authentication process to Defender eliminating the need to enter keyword PUSH in token field in first login attempt. The existing functionality with type in keyword PUSH works if the first login attempts fails to authenticate or times out.
-
The notification seeks a user response in form of Approve or Deny for access to the resources. Based on the user's response, the respective action takes place and the notification cycle completes.
-
In case of a timeout, the user can also use can use "push" keyword/passcode/Gridsure PIP.
-
Users activate the newly created token from the 6.1.0 release.
User friendly UX
DDL Client Authentication Process (Applicable from Defender 6.2)
-
When user initiates the Login process, the page asks for credentials only (username and password) and no passcode.
-
The DSS automatically identifies if the user has an Android or iOS Token configured. In such case, the application sends a push notification to Defender Soft Token App.
-
If the user approves the push notification on Defender Soft Token App, they are prompted to next authentication login process to complete the cycle.
-
If the user denies the push notification any time during the authentication process on Defender Soft Token App, the current login process gets canceled, and the user is redirected to the first Page to re-initiate the Login Process.
-
If the user neither approves nor deny the push notification on Defender Soft Token App, then the notification times out for that request and user will be able to select one of the two options (if Authentication method is only Token of any policy) to continue with the authentication process as below:
-
User can trigger the push notification again by clicking on SUBMIT button.
-
Or user can enter "push" (without quotes, case insensitive) passcode/keyword in passcode field or use Gridsure PIP for authentication.
-
-
When DSS identifies that a user does not have Android or iOS token configured, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login process.
-
If User has selected “Remember password option” under GINA settings, login screen will be prompted with pre-filled password in read only with enabled Submit button to continue the authentication process. Applicable only on the second login attempt, after denial/timeout of first login request.
EAP Client Authentication Process (Applicable from Defender 6.2)
-
When user initiates the Login process, the page asks for credentials only (username and password) under Networks in EAP client.
-
The DSS automatically identifies if the user has an Android or iOS Token configured and sends a PUSH Notification to Defender Soft Token App while displaying a message confirming the notification sent process.
-
If the user approves the push notification on Defender Soft Token App, they are prompted to next authentication login process to complete the cycle.
-
If the user denies the push notification any time during the authentication process on Defender Soft Token App, the current login process gets canceled, and user has to re-initiate the login process.
-
If the user neither approves nor deny the push notification on Defender Soft Token App, then the notification times out for that request. The user can now select one of the two options (if Authentication method is only Token for any policy) to continue with the authentication process as below:
-
User can trigger the push notification again by clicking the RESEND button.
-
Or user can enter "push" (without quotes, case insensitive) passcode/keyword in passcode field.
-
-
If DSS identifies that a user does NOT have Android or iOS Token, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login proces
-
In case no response is received from the user on the Defender Soft Token App then the request times out and user can select between two options to continue the authentication process as below:
-
User can trigger the push notification again by clicking on RESEND button.
-
Or user can click the Sign in with another option button and enter "push" (without quotes, case insensitive) passcode/keyword in passcode field.
-
-
GridSure Token is not supported with EAP Client.
ISAPI Client Authentication Process (Applicable from Defender 6.2)
-
When user initiates the login process, the page simply asks for ‘username’.
-
If DSS identifies that a user has an Android or iOS token configured, the application will send a PUSH Notification to Defender Soft Token App.
-
In the meantime, a waiting page is displayed on the ISAPI client with a message, "Defender needs to verify your identity. We sent a notification to your Defender Soft Token app. Please respond on your device to continue."
NOTE:The waiting page also displays the ‘Sign in with another option’ button. The user can choose to sign in with token with out waiting for the push notification to be responded/timed-out.
-
If the user approves the push notification on Defender Soft Token App, they are prompted to the next authentication login process to complete the cycle.
-
If the user denies the push notification any time during the authentication process on Defender Soft Token App, the current login process gets canceled, and user is redirected to a page displaying a message regarding verification denial.
NOTE:The Ok button on the verification denial page can be used to re-initiate the login process.
-
In case no response is received from the user on the Defender Soft Token App then the request times out and user can select between two options to continue the authentication process as below:
-
User can trigger the push notification again by clicking on RESEND button.
-
Or user can click the Sign in with another option button and enter "push" (without quotes, case insensitive) passcode/keyword/Gridsure PIP in passcode field.
-
-
If DSS identifies that a user does NOT have Android or iOS Token, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login process.
Push notification timeout configurable
-
The Push Notification verification timeout is a configurable value.
-
On a computer where Defender Security Server is installed, use Registry Editor to create the following value at:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
Value type: REG_DWORD
Value name: NOTIFICATIONTIMEOUT
Value data: XX
NOTE:
-
The value can range between decimal 1 to 30. Any other value beyond this range is invalid and will set the default timeout to 30 seconds.
-
In case if the registry key for the timeout is not found (not added), then the default timeout of 30 seconds is set.
-
The server will wait till the timeout seconds before sending the response back to client.
-
Defender push notifications can be disabled
-
To turn the notifications off, the user needs to manually create the following registry value at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
Value type: REG_DWORD
Value name: PushOff
Value data: XX
-
The value can be either 0 or 1. Any other value beyond this range is invalid and will set the defaul t push notification on. In case if theregistry key for the PushOff is not found (not added), then the default push notification on is set.