How is Push Authentication different from Push Notifications?

July 19, 2022
Written by
Reviewed by

How is push authentication different from push notifications

Push authentication is one of the most secure and user friendly forms of authentication. Instead of typing in a one-time passcode, a user taps "approve" or "deny" (or "yes" or "no") on an authorized mobile device. Twilio Verify offers an SDK to embed push authentication directly into your mobile application, especially useful if you have a large mobile user base.

Some customers already have a push notification system built and consider using that for delivering authentication. This blog post will outline some of the key differences between push authentication and push notifications and why we recommend an authentication-specific solution.

login screen with mobile phone showing push authentication challenge

Why you should use push authentication instead of just push notifications

Push authentication is more secure than push notifications

Push authentication relies on public-key infrastructure. Our SDK turns each device into a secure key, making push authentication phishing resistant. A push notification alone doesn't have the same assurance.

Push authentication still works with disabled/blocked notifications

If a user blocks notifications, a Verify Push authentication challenge will still show up when the user opens the app.

In addition, standard push services are not designed for time critical circumstances. Verify Push doesn't rely on the mobile push service alone: the authentication challenge is stored in the backend and can be retrieved immediately whenever the app is opened by the user.

Push authentication allows for silent verification

Silent verification, where the app does background authentication using the stored private key, won't work with a push notification. The beauty of silent verification is that it doesn't require any notifications, instead you fetch the authentication challenge in the background (with webhooks or polling) so you'll need to build that separately from your notification service.

Apple discourages using notifications for sensitive information

According to app store review guidelines, "Push Notifications must not be required for the app to function, and should not be used to send sensitive personal or confidential information." Unlike a notification only solution, a Verify Push challenge can include additional sensitive information like email address or login location in the in-app challenge screen. Depending on your implementation, including sensitive information in the notification may cause issues getting your app approved in the App Store.

Note: push authentication challenges are not encrypted so we recommend additional protections like certificate pinning to prevent a man-in-the-middle attack.

Verify Push complies with authentication regulation like PSD2

Payment Services Directive 2 (PSD2) is European regulation that requires Strong Customer Authentication on electronic payment over €30. This means that businesses need to send additional context for transactions like the amount and payee. Verify Push is PSD2 compliant and will make sure your business stays compliant with any new regulations that may be introduced.

Getting started with Verify Push

If you still have questions about whether Verify Push is the right solution for you, please get in touch. You can learn more with our Verify Push general overview, technical overview, and best practices.

If you're ready to start building, check out the following quickstarts for your platform[s]:

I can't wait to see what you build and secure!