--- title: Authentication method selection and priority - use cases description: See the following table for detailed examples of use cases where the configuration at the organization level can affect the implementation of an authentication policy. component: pingid page_id: pingid:pingid_service_management:pid_auth_methods_use_cases canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_auth_methods_use_cases.html revdate: February 9, 2023 --- # Authentication method selection and priority - use cases See the following table for detailed examples of use cases where the configuration at the organization level can affect the implementation of an authentication policy. **Authentication method selection by specific use cases** | Use Case | User Paired Devices | Allowed Authentication Methods | Rule Action | Result | Reason | | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------ | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | * SMS (primary) * Email | All methods | Email | User is requested to authenticate through email | Although the primary is SMS, the user is requested to authenticate using email as the rule action requires email. | | 2 | - Desktop (primary) - Email - YubiKey | YubiKey | Authenticate | User is requested to authenticate with YubiKey | User is automatically prompted to authenticate using a YubiKey, regardless of whether the configuration is set to **Default to Primary** or **Prompt user to select**. This is because the user only has one allowed authentication method paired with their account. | | 3 | * The PingID mobile app (primary) * SMS * Voice | SMS/ Voice/ Email | Authenticate | User is unable to authenticate | - **Default to Primary**: Even though the user's primary device is disallowed (PingID Mobile app), the user is prompted to authenticate with the device that was enrolled first out of the list of allowed secondary devices. - **Prompt user to select:** the user is presented with a list of secondary devices. The user selects the secondary device with which they want to authenticate. | | 4 | * SMS (primary) * YubiKey * Email | Mobile App Biometrics/ Swipe / One-time passcode | Authenticate | Authentication denied | User does not have one of the allowed authentication methods paired with their account. | | 5 | - The PingID mobile app (primary) - Desktop - Voice | All methods | SMS | Authentication denied | User does not have the required authentication method paired with their account. | | 6 | The PingID mobile app (Swipe disabled) | Mobile App Biometrics/ Swipe | Authenticate | Authentication denied | Swipe is disabled in the PingID mobile app and the user is unable to receive a push notification.As a one-time passcode (OTP) is not included in the **Allowed Authentication Methods**, the user cannot use an OTP, even if OTP Fallback is enabled. | | 7 | The PingID mobile app (Swipe disabled) | All methods | Mobile App Biometrics (required) | Authentication denied | Mobile App Biometrics (required) permits authentication with biometrics only, and does not allow use of an OTP."Swipe disabled" prevents the user from receiving a push notification to their device, preventing the user from authenticating with biometrics. | | 8 | The PingID mobile app where:- Device supports biometrics - Biometrics not defined on device | Mobile App Biometrics | Mobile App Biometrics (required) | The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked. | If a device does not support biometrics, PingID allows the user to authenticate using swipe as an exception. If the device supports biometrics, but biometrics are not defined on the device, the user can use swipe.This is possible because biometrics is enabled (and not required) by the biometrics configuration | | 9 | The PingID mobile app where:- Device does not support biometrics - Biometrics required at configuration level | Mobile App Biometrics | Mobile App Biometrics (required) | The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked. | Although biometrics is required, because the user's device does not support biometrics, the user is still able to authenticate with swipe (if device unlocked), or using their device passcode (if device is locked). | | 10 | The PingID mobile app where:- Device supports biometrics - Biometrics not defined on device - Biometrics required at configuration level | Mobile App Biometrics | Mobile App Biometrics (required) | The user is not able to authenticate | Biometrics are required at the configuration level, and biometrics authentication is possible on the user's device. The user is not able to authenticate because they have not defined biometrics on the device. | | 11 | The PingID mobile app where:- Device supports biometrics - Biometrics are defined on device - Biometrics required at configuration level | Mobile App Biometrics / Swipe | Authenticate | User is able to authenticate with biometrics | Biometrics have a higher priority over swipe, and the user is prompted to authenticate with biometrics. | | 12 | * Security key (primary) * Email * SMSWhere the browser used does not provide WebAuthn support required for security key. | All methods | Authenticate | User is able to authenticate with email or SMS | - **Default to Primary**: Even though the user's primary device is disallowed because the browser does not support WebAuthn, the user is prompted to authenticate with the secondary device that was enrolled first out of the list of allowed secondary devices. - **Prompt user to select:** A security key is not included in the list of devices, as the browser does not support WebAuthn. The user is presented with a list of secondary devices only. The user selects the secondary device with which they want to authenticate. | | 13 | * Security key (primary) * Email * SMS Where the browser used does not provide WebAuthn support required for security key. | All methods | Security Key | User is unable to authenticate | Even though the user has a security key paired with their account, they are signing on using a browser that does not support WebAuthn. | | 14 | - The PingID mobile app (primary) - Security key - EmailWhere the browser supports WebAuthn. Policy rule **authenticating from a new device** is applied and requires a security key. | All methods | Security key | User is able to authenticate with a Security key only. In the case of a phishing attack, the user is not able to authenticate with any device. | * If authenticating from a new device a security key is required. * If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the **accessing from new device** policy rule. Even though the user has other devices paired, they are prompted to authenticate using a security key only, and cannot change device due to the policy rule restrictions.This configuration guards all devices against a phishing attack. | | 15 | - FIDO2 biometrics (primary) - Email - SMSWhere the browser used does not provide WebAuthn Platform support. | All methods | FIDO2 Biometrics | User is unable to authenticate | Even though the user has a FIDO2 biometrics device paired with their account, they are signing on using a browser that does not support WebAuthn. | | 16 | * The PingID mobile app (primary) * FIDO2 Biometrics * EmailWhere the browser supports a WebAuthn Platform. Policy rule **authenticating from a new device** is applied and requires a security key. | All methods | FIDO2 | User is able to authenticate with FIDO2 only. In the case of a phishing attack, the user is not able to authenticate with any device. | - If authenticating from a new device, FIDO2 biometrics device is required. - If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the **accessing from new device** policy rule. Even though the user has other devices paired, they are prompted to authenticate using a FIDO2 biometrics device only and cannot change device due to the policy rule restrictions.This configuration guards all devices against a phishing attack. |