Push Authentication.
An MFA mechanism where the user approves or denies a login request via a push notification on a registered mobile app, eliminating the need to type an OTP code.
Push with number-matching is the modern minimum bar in 2026 — vanilla push is still common in older deployments but no longer acceptable for production CIAM. Push remains short of phishing-resistant by NIST standards (the user can be tricked into approving a push triggered by an attacker who has the password), but properly-implemented number-matching push raises the bar enough to remain AAL2-acceptable.
Common questions
Is push notification considered phishing-resistant?
What is number-matching push?
How did MFA fatigue attacks work?
Related terms
In the guides
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Deprecating SMS OTP in 2026: Why, When, and How
NIST SP 800-63-4 places SMS OTP outside AAL2. The 2026 question is how to migrate the install base off SMS, what to replace it with, in what order, and the patterns that work.