If the user name was linked to their Windows Identity, then you can use that. If, however, your site uses a custom login mechanism or something like OAuth, then the user is going to have to associate their identity with the notification application - this would typically require you to provide a settings page where they entered their user name and password details so that you could verify that they were a valid user.
To be honest, this opens a whole can of worms, including things such as verifying that web service requests haven't been intercepted and so on. A simpler method would just be to email them.
I was brought up to respect my elders. I don't respect many people nowadays.