Manage security controls

Use the Push browser extension to enforce security controls for your workforce and prevent common identity attacks, including phishing.

You can configure these options on the Controls page in the Push admin console. Note that employees must be enrolled in Push and using the Push browser extension for controls to be enforced.

Use app banners to apply guardrails to your employees’ use of apps. This control allows you to place a message directly in the browser on an app’s login and signup pages.

You can configure app banners from the Controls page by selecting the App banners tile and then configuring a rule for the app banner.

For each rule, you’ll select the banner Mode (see examples below); the Scope (all employees, specific employees, or employee groups); and whether the rule applies to all apps, specific apps, or app attributes (e.g. sensitivity and approval status or custom labels). Then customize the banner text.

There are four modes for app banners.

Set the mode to Inform for a smaller, dismissible message at the top of the page.

Set the mode to Acknowledge for a larger banner that covers the middle of the page and requires that end-users click a button to acknowledge the message before they can sign up or log in.

Push will also emit a webhook event if you wish to track when app banners are displayed and acknowledged.

Set the mode to Reason for a large banner that covers the middle of the page and requires end-users to submit a reason for using an app before they can sign up or log in. Push will also emit a webhook event to capture the submitted text from the end-user.

Set the mode to Block for a larger banner that covers the middle of the page and prevents the end-user from signing in to the app. Optionally, you can also allow end-users to submit a request to use a blocked app directly from the banner. Push will emit a webhook event to capture the submitted text.

You can preview the app banner in your browser right in the Push admin console, and publish it when you’re ready.

Use app banners to:

• Block a recently breached app while you investigate.

• Block unapproved apps.

• Encourage employees to use a preferred app over an alternative.

• Remind employees not to enter sensitive information or company data into GenAI tools.

• Ask employees not to use an app until it can be reviewed by the security team.

• Restrict use of high-sensitivity apps to certain teams or roles.

• Or anything else you want!

For more examples of how to use app banners, refer to this help article.

Guide employees to use strong, unique passwords directly in the browser using in-line password guidance.

This feature securely analyzes the end-user’s password in real time when they sign up for or log in to an app and displays an in-line message if their password is weak or reused.

This feature is currently available in early access and can be enabled on the Settings page in the Push Labs section.

Prevent employees from visiting malicious websites by configuring a blocklist of URLs. If employees try to visit a blocked URL, they will see your custom block message instead of the site.

This feature allows you to respond to phishing incidents by blocking the phishing URL across your entire workforce. You can also implement blocks for known-bad websites.

Push will also emit a webhook event when a blocked URL is visited.

You can configure URL blocking on the Controls page of the admin console. You can programmatically manage URL blocking as part of responding to an attempted phishing incident by using the Push REST API to automatically add URLs to the blocklist or to sync with other threat intelligence sources of known-bad sites.

When adding URLs to your blocklist, you can use a wildcard * (star / asterisk character) to partially match website domains.

For example, *.example.com will catch any subdomains in example.com.

Note: URL match patterns do not support the syntax *.example.* You must use the syntax *.example.com or *.example.org if you wish to have a wildcard for subdomains.

To catch all pages on a domain, use the syntax example.com/*. You can combine these two approaches to catch all pages and all subdomains by using the syntax *.example.com/*

You can configure URL blocking on the Controls page of the admin console.

Warn or block employees from entering their SSO (identity provider) password into other sites, including phishing sites, and display a custom message.

There are three modes for SSO password protection.

In Monitor mode, Push will silently report when and where SSO passwords were used without alerting the user.

In Warn mode, Push will display a customizable warning message to users that they’ve re-used their SSO password on another site. The user can ignore the warning to continue if they know the site is trustworthy.

In Block mode, Push will prevent users from logging in with their SSO password on any webpage except those belonging to the SSO provider and display a customizable block message.

Push can detect the following identity providers:

• Okta

• Microsoft 365

• Google Workspace

• JumpCloud

• Duo

• Ping Identity

Push will emit a webhook event when an SSO password is used, and if the employee clicks through the warning screen.

You can configure a list of domains to ignore when enforcing this control. You can also choose to ignore all recognized work apps when enforcing this feature, essentially allowing end-users to re-use their SSO password on known, trusted apps. Push maintains a list of recognized work apps on our Supported SaaS page.

Note: The Push browser agent will ignore flagging any scenarios in which the login page is in the company domain(s), is on the ignore list under Settings > Advanced, or is in a private IP address space, including localhost.

Learn more in this related help article.

You can configure SSO password protection on the Controls page of the admin console.

Detect when employees visit websites that are using phishing tools such as EvilNoVNC and Evilginx, which can mimic legitimate login screens in order to steal credentials and MFA codes. Then warn or block employees from accessing those sites.

Push will emit a webhook event when signatures for these phishing tools are detected on sites visited by your employees. Consider adding those malicious websites to a blocklist to enforce URL blocking.

You can configure phishing tool detection in Monitor, Warn, or Block modes.

Learn more in this related help article.

You can enable phishing tool detection on the Controls page of the admin console.

Push provides a security control configurable by administrators that allows you to inject a unique marker into the User Agent string of sessions that occur in browsers enrolled in Push. This feature is powered by the Push browser agent.

By analyzing logs in the target app, you can identify sessions that both have the Push marker and that lack the marker, indicating the session is being used from both a machine with the extension and a machine without and therefore the session token may have been stolen.

Note: While Push can inject the unique marker into sessions on any domains you specify, the identity provider or application must provide a server-side session identifier so that you can determine which activity belongs to the same session, and then identify whether a marker is absent from activity on Push-enrolled browsers where you expect it to be present.

Any “unmarked” activity in the same session should be treated as a high-fidelity signal of session token theft, also known as session hijacking.

Learn more in this related help article.

You can enable session theft detection on the Controls page of the admin console.

Detect when employees visit sites using cloned login screens that may be used to mimic identity provider login pages in order to steal credentials.

Once you enable Cloned login page detection, Push will emit a webhook event when it detects that an employee has visited a page that appears to be a clone of a legitimate login page.

It does this by fingerprinting the page structure and resources of your legitimate login pages and monitoring for pages that appear to be very similar.

Learn more about cloned login page detection in this help article.

Important! Be sure to add any custom login URLs that you use to your Settings page to ensure they are detected.

Detect stolen credentials in use across your workforce identities. Push does this by ingesting threat intelligence data and then verifying which credentials flagged by TI sources are still being used by employees, performing comparisons of hashed, salted, and truncated credentials using the Push browser extension.

You can choose to receive alerts for this detection via webhook, ChatOps notification, or in the Push admin console.

Learn more about stolen credential detection in this help article.

Prompt employees to register for MFA on apps where they lack it, using MFA enforcement. This control allows you to display a customized banner that end-users will see when they use accounts that are missing MFA protection. You can select which apps to enforce MFA on when configuring the control.

Integrate with Microsoft Teams or Slack and then enable direct user engagement using Push’s ChatOps feature.

With employee ChatOps, Push will automatically message end-users when they have a simple security issue such as a weak password and ask them to fix it.

You can also use ChatOps to receive real-time notifications about changes to your identity infrastructure, such as newly created accounts, newly discovered apps, and new security findings across your workforce.

Learn more about ChatOps.