The push authentication can be done via OpenID connect Backchannel Authentication flow https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html

When you are authenticated, you can add another authentication, such as security key with support of biometrics, and therefor in future login with it.