--- title: Allowed authentication methods description: Define the authentication methods you want to make available for the policy in the Allowed Authentication Methods section. Only the selected allowed authentication methods are listed as options in the authentication rule Action list. component: pingid page_id: pingid:pingid_service_management:pid_allowed_auth_methods canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_allowed_auth_methods.html revdate: June 8, 2023 --- # Allowed authentication methods Define the authentication methods you want to make available for the policy in the **Allowed Authentication Methods** section. Only the selected allowed authentication methods are listed as options in the authentication rule **Action** list. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If a new authentication method is added as a PingID capability and the **All Methods** check box is not selected in the **Allowed Authentication Methods** section, you must edit each policy and select the check box of the new authentication method manually to include it in a policy. | A description of the allowed authentication methods is shown in the following table. **Authentication methods allowed per policy** | Allowed Authentication Method | Description | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **All Methods** | Permit the use of all authentication methods currently configured for the organization.When the **All methods** check box is selected:- All available authentication methods are permitted at the policy level. - If additional authentication methods are added to PingID in the future, they are automatically applied to the policy. - Within a policy rule, all available authentication methods are listed in the rule **Actions** list. - Deprecated authentication actions appear and can be selected in policy rule **Actions** list. See [Deprecated authentication actions](pid_deprecated_actions.html).If the **All methods** check box is not selected:- Only the specific authentication methods selected in the **Allowed Authentication Methods** list are available for the user to authenticate. - If additional authentication methods are added to PingID in the future, they are not applied to existing policies automatically. Existing policies must be edited individually and the new authentication method added manually in order to apply it to the policy. - Within a rule, only the selected authentication methods are listed in the authentication actions in addition to relevant default actions, such as **Approve**, **Deny**, and **Authenticate**. - Deprecated authentication actions are not available in the policy rule **Actions** list. | | **Authenticator app** | Authentication using an authenticator app, such as Google authenticator, is permitted. | | **Backup Authentication** | Authentication using a backup authentication method is permitted. This option is useful if a user forgets their device, or it is lost or stolen.The **Forgot your device?** link only appears if:- Either the **Authenticate** rule action, or a rule action that includes a mobile device authentication method such as **Mobile App Biometrics**, is configured. - At least one backup authentication method is defined. See [Configuring backup authentication methods](pid_configuring_backup_authentication_methods.html). | | **Desktop** | Authentication by a desktop app is permitted. | | **Email** | Authentication by email is permitted. | | **FIDO2 Biometrics** | Authentication by a FIDO2 biometrics device is permitted for web-based policies only. | | **Mobile App Biometrics** | Authentication by a supported biometrics devices is permitted and applied according to the configuration defined in the Admin portal. | | **Number matching** | Authenticate by number matching is permitted.- Number matching has priority over**Mobile App Biometrics** and**Swipe** authentication methods. - If **Mobile app biometrics** is set to **Require** in the **Configuration** tab, the user must authenticate successfully using biometrics and then authenticate using number matching. - Number matching is only supported by apps that are using web-based authentication. | | **Oath Token** | Authentication using an OATH Token is permitted. | | **One-time passcode** | Authentication using a one-time passcode (OTP) obtained using PingID mobile app is permitted. If this option is not selected, fallback to a OTP and direct passcode usage are not allowed, even if it is enabled in the Configuration page. | | **SMS** | Authentication using an OTP obtained through SMS is permitted. | | **Security Key** | Authentication using a security key is permitted for web-based policies only. | | **Swipe** | Authentication using swipe is permitted. | | **Voice** | Authentication using an OTP obtained through voice message is permitted. | | **YubiKey** | Authentication using a YubiKey is permitted. |