Push Notification Authentication

    Note: Push Notification Authentication is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

    Push Notification Authentication is a secure, user-friendly verification method that uses the ADSelfService Plus mobile app to send identity verification requests directly to users' mobile devices.

    How it works

    Push Notification Authentication delivers instant verification requests directly to users' registered mobile devices through the ADSelfService Plus iOS or Android app. This method provides a secure, one-tap approval workflow that eliminates the need for codes or passwords, balancing strong security with exceptional user convenience across all protected endpoints.

    Prerequisites

    • Open the following ports in your firewall setup to let the ADSelfService Plus server communicate with the push servers of Apple and Google, and send the push notifications to the ADSelfService Plus iOS and Android mobile applications, respectively:
      • For Apple: 5223, 2197, 443
      • For Google: 5228, 5229, 5230, and 80 or 443
    • Grant access to the following IP or host addresses in the firewall setup:
      • For Apple: gateway.push.apple.com, api.push.apple.com and feedback.push.apple.com
      • For Google: all outbound IPs with port 80/443, or simply open the Google ASN IPs
    Note: If your organization's policy does not allow unblocking the above IPs, route the requests to these IPs through a proxy server as per your organization's policy. When you use a proxy server, do not forget to configure the Proxy Settings in the product.

    Configuration steps

    Enabling push authentication is a straightforward process: activate the feature in the ADSelfService Plus admin console and ensure firewall access for Apple and Google push services. ADSelfService Plus automatically handles secure push notification delivery to users' mobile devices once these steps are completed.

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy drop-down, select a policy.
    3. Click Push Notification Authentication.
    4. Select Enable Push Notification Authentication.

      Push notification authentication in ADSelfService Plus

    Important:
    • Once enabled, users will be automatically considered as enrolled for Push Notification Authentication and need not be enrolled separately.
    • Users need to download the ADSelfService Plus iOS or Android mobile app to use this authentication technique.
    • This is a device-based enrollment. If users install the app in another device, they need to enroll again.
    • This authenticator can be used only from a browser on a workstation. If a user performs an MFA or self-service action from a mobile site, users cannot use Push Notification Authentication to prove their identity.

    Tips

    • Push Notification Authentication is device-bound — if a user gets a new phone or reinstalls the ADSelfService Plus app, they need to re-enroll. Pair this authenticator with a fallback method (such as email OTP or security question and answer) in your MFA policy so users aren't locked out during device transitions.
    • Since this authenticator only works from a browser on a workstation, avoid making it the sole required authenticator for policies that include users who frequently perform self-service actions from mobile browsers. Include at least one mobile-compatible method alongside it.
    • If push notifications fail to reach users, the most common cause is a firewall blocking outbound traffic to Apple or Google push servers. Confirm all required ports (5223, 2197, 443 for Apple; 5228–5230 and 80/443 for Google) and host addresses are open before troubleshooting the product configuration. If your environment uses a proxy, configure proxy settings in ADSelfService Plus under Admin > Product Settings > Connection before enabling this authenticator.
    • Because users are automatically considered enrolled once the authenticator is enabled, disabling Push Notification Authentication in a policy immediately removes it as a verification option for all users in that policy — including those mid-session. Plan changes to this authenticator during low-traffic periods.
    • This authenticator is not supported for enrollment during password resets or account unlocks. If push notification is the only configured authenticator for a policy, users will not be able to complete self-service actions for those operations. Ensure at least one additional authenticator is enabled for reset and unlock flows.