Push Fatigue Mitigation / Make buttons of push configurable by the server

[nilsbehlen]

If an attacker can trigger push notifications for a user, the static password is probably already compromised. In that case, it is not sufficient to just suppress the push notifications - the admin has to take action. However, it should be up to the admin what will be done.

General question: How can we transfer the information of an unauthorized login attempt from the phone to privacyIDEA?

We could make the push buttons somewhat configurable:

• Optionally include a third button to indicate that the push request was not triggered by the owner of the phone -> what kind of request will be made?
• Texts

[cornelinux]

We could even add s.th. like "This was not me, please block my token. Block my account."

"Block my token for 7 days, because I am on vacation and will not use it".

"Please inform the admin to take action".

[frankmer]

Using the pia:\ scheme, we could send the information for the configurable buttons of each push token to the authenticator application. The data could be a json string with a message and n buttons, each with a label and an optional response string. Maybe also a URL to call when there is a response on the presses button or maybe always inform the issur.