Push Approval
FactorCat sends a push notification when your browser needs an MFA code. Tap approve on your phone and the code fills in automatically.
Push approval is the core of the FactorCat experience. Instead of opening an authenticator app, finding the right code, and typing it in, you approve a notification on your phone and the code fills in automatically.
How push approval works
-
The extension detects an MFA field. When you reach a 2FA prompt on a website, the FactorCat browser extension recognizes the input field and matches it to one of your factors by domain.
-
Your phone gets a push notification. The extension sends an approval request through FactorCat’s servers. Your phone displays a notification showing the site name and hostname — so you know exactly what you’re approving.
-
You tap Approve. Your phone generates the current TOTP code (plus the next code for seamless rollover) and sends it back through the secure relay.
-
The code fills in automatically. The extension receives the code and inserts it into the MFA field. If auto-fill can’t find the right field, the code appears in the extension popup with a copy button. See Auto-Fill for details.
The entire flow takes a few seconds — and you never need to read, copy, or type a 6-digit code.
What you see on your phone
When an approval request arrives, your phone shows:
- The site name (e.g., “GitHub” or “Google”)
- The hostname of the requesting page (e.g.,
github.com) — so you can verify the request is legitimate - Approve and Deny buttons
If you didn’t expect a notification, tap Deny. This blocks the request and no code is sent. If someone has your password but not your phone, they can’t get past this step.
Auto-fill after approval
After you approve, the extension tries to fill the code directly into the MFA input field on the page. This works on most sites with standard OTP fields.
If auto-fill can’t find the right field (non-standard implementations, iframes, dynamically injected inputs), the extension falls back to showing the code in its popup. The code stays visible even after you copy it, and automatically rolls over to the next code when it expires.
For full details, see Auto-Fill.
Clipboard fallback
If auto-fill doesn’t detect the field, the code is available in the extension popup:
- Click the code to copy it to your clipboard
- The code stays visible — it doesn’t disappear after copying
- When the current code expires, the next code appears automatically
This means you always have a way to get the code, even on sites where auto-fill can’t reach the input field.
Vault approval settings
You can control when approval is required on a per-vault basis. Open the mobile app and go to Settings > Vaults, or use the vault settings page on the web dashboard:
Always require approval
Every code request triggers a push notification. No exceptions. This is the most secure setting — no code is ever generated without your explicit approval.
This is the only option for Locked Vault factors, since your phone needs to generate the TOTP code locally using your master key.
Require when online
If your phone is reachable, you’ll get a push notification and need to approve. If your phone is unreachable (airplane mode, dead battery, no signal), Cloud Vault factors fall back to server-generated codes so you’re not locked out.
This is the default for Cloud Vaults. It balances security with availability.
Never require (Cloud Vault only)
Codes are generated server-side without a push notification. The extension gets the code immediately when it detects the MFA field. Fastest, but you won’t see a notification or have a chance to deny the request.
Only available for Cloud Vault factors — Locked Vault factors always require your phone since the server can’t generate their codes.
What happens on timeout
If you don’t respond to an approval request in time:
- Always require — the request fails. The extension shows a “timed out” message. Try again to send a new notification.
- Require when online — for Cloud Vault factors, the system falls back to a server-generated code. For Locked Vault factors, the request fails.
- Never require — no timeout is possible since there’s no approval step.
If timeouts happen frequently, check that push notifications are working and your phone has a stable internet connection.
For how the extension fills in codes after approval, see Auto-Fill. To set up pairing between your phone and browser, see Pairing Your Phone and Browser.