Push Fatigue Mitigation / Make buttons of push configurable by the server

[nilsbehlen]

If an attacker can trigger push notifications for a user, the static password is probably already compromised. In that case, it is not sufficient to just suppress the push notifications - the admin has to take action. However, it should be up to the admin what will be done.

General question:
How can we transfer the information of an unauthorized login attempt from the phone to privacyIDEA?

We could make the push buttons somewhat configurable:

• Optionally include a third button to indicate that the push request was not triggered by the owner of the phone -> what kind of request will be made?
• Texts

[cornelinux]

We could even add s.th. like "This was not me, please block my token. Block my account."

"Block my token for 7 days, because I am on vacation and will not use it".

"Please inform the admin to take action".

[frankmer]

Using the pia:\ scheme, we could send the information for the configurable buttons of each push token to the authenticator application.
The data could be a json string with a message and n buttons, each with a label and an optional response string. Maybe also a URL to call when there is a response on the presses button or maybe always inform the issur.

[cornelinux]

@frankmer Isn't that what we added in the server lately with the three PUSH questions?
Can this issue be closed?

[frankmer]

For "require_presence", the implementation should be fine for this idea.
The discard button simply deletes the request, and the decline button sends the decline information to the server. Blocking a push token for a certain amount of time on decline could be done with "auth_max_fail", but declining an auth request does not increase the fail counter.
Also, the text of the accept button without require_presence, the discard button, and the decline button are not configurable.