This approach makes sense to me, though I'd expand password to be a broader term because people might prefer different authentication methods or approving a request to install software from their own device or so