Authentication: Push

One of my goals before the end of the year is to protect my online accounts with multi-factor authentication. I’ve been protecting many of my identities with TOTP. TOTP is a great way to add multi-factor authentication to our identity.  It adds the “something I have” to the “something I know”.

However, I’m now running into a major user experience issue with TOTP.

I’ve got too many tokens!!!

When I try and authenticate to one of these providers, I have to load the authenticator app and find the right code before typing it in.  This is easy when I only had 1 or 2 codes; but, as I started using TOTP for many of my accounts to improve authentication security, things quickly got out of hand.

This is why Push authentication is better. It removes the burden from the user for entering the code.

First, push authentication is similar to TOTP and OTP. All three use the same underlying technology with a pre-shared key applied to the current time to generate a time-limited token, but there is a slight difference.

  • OTP: Sends code via SMS or email
  • TOTP: User enters code from local device
  • Push: Systems sends notification to device that the user approves

From a conceptual architecture perspective for Citrix Virtual Apps and Desktops, we have something like the following:

  1. The user connects to Citrix Gateway and authenticates with their Active Directory credentials.
  2. Active Directory stores the user’s mobile device information and TOTP key
  3. Gateway sends this information to the Gateway Service, running within the Citrix Cloud.
  4. Gateway Service uses the notification micro-service to send the push notification to the mobile device.
  5. The user gets a notification on the mobile devices and selects Allow/Deny.  That information is sent directly to the on-prem Gateway, which completes authentication.

One question I get with this type of deployment is the cost to use Gateway Service and the notification micro-service. The answer is no cost. An admin just needs to create a account (free).

If we wanted to extend Push authentication to Citrix Workspace, we can use the same architecture.

Except we configure Citrix Workspace to use an on-prem Gateway as our identity provider.

To setup push authentication, we need to use advanced authentication policies within the Citrix Gateway.  This involves creating an authentication flow (nFactor) where one branch allows users to managed their token/device and another branch to authenticate with Push.


To see push in action for a Citrix environment, take a look at the following video:

Daniel (Follow on Twitter @djfeller)

1 thought on “Authentication: Push”

  1. Great Stuff! Our environment already has TOTP mutlifactor authentication setup, and our end users have mostly been using Google Authenticator (with some others thrown in). Is there a way to allow ‘push’ for those that wish to adopt it/install Citrix SSO and the traditional path (TOTP with Google Auth) without one stepping on the other? Would this require using different AD attributes for storing the key, or could they share the same?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.