---
title: Configuring backup authentication methods
description: Configure backup authentication so that a user can still sign on if they do not have access to their primary authentication device, such as if they forget their device at home, or their device is lost or stolen.
component: pingid
page_id: pingid:pingid_service_management:pid_configuring_backup_authentication_methods
canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_backup_authentication_methods.html
revdate: August 4, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  result: Result
---

# Configuring backup authentication methods

Configure backup authentication so that a user can still sign on if they do not have access to their primary authentication device, such as if they forget their device at home, or their device is lost or stolen.

## Before you begin

Ensure the relevant attributes are configured in your user directory and are up-to-date.

Attributes must be entered in the correct format. For more information, see [Configuring the phone number attribute in PingOne](pid_configuring_phone_number_attribute_in_p1.html), [Configuring LDAP attributes in PingFederate](pid_configuring_ldap_attributes_in_pf.html), [Integrate PingID with AD FS](../pingid_integrations/pid_integrate_with_ad_fs.html), step 5 of [Configuring advanced settings](../pingid_integrations/pid_configuring_advanced_settings.html), and [Configuring PingID MFA for Microsoft Azure AD Conditional Access](../pingid_integrations/pid_cfg_azure_conditional_access.html).

## About this task

Backup authentication uses the email and phone attributes stored in your organization's user directory to send a one-time passcode (OTP) to the user through SMS, voice, or email. This option is available for web SSO only.

If you enable one or more backup authentication types, and the user has at least one valid phone number or email address listed in the user directory, a **Forgot Your Device?** link is shown on the authentication screen. When the user clicks **Forgot Your Device?**, they are presented with a list of the backup authentication options available for their account.

If a policy is applied to your organization, the **Forgot Your Device?** link only appears if either the authenticate rule action, or a rule action with a fallback, such as fingerprint with OTP fallback, is applied to the policy.

You can include the following directory attributes as options for backup authentication:

* Email

* Secondary email

* Voice

* SMS

Phone numbers must be saved in Google Library format, which specifies that all phone numbers must include "+" and the international country code. Only attributes listed in the required format are displayed as a backup authentication method.

|   |                                                                                                                         |
| - | ----------------------------------------------------------------------------------------------------------------------- |
|   | PingOne supports the use of a single email address and a single phone number, which can be used for both SMS and Voice. |

## Steps

1. Sign on to the admin portal and go to **Setup → PingID → Configuration**.

2. In the **Authentication** section, go to **Alternate Authentication Methods**. ![A screen capture of the Alternate Authentication Methods section.](_images/vkb1564020562147.png)

3. To enable an authentication method as backup authentication, in the relevant row, select the **Backup Authentication** check box.

4. Click **Save**.

5. To select backup authentication as an allowed authentication method when creating a PingID policy, see [PingID policy](pid_allowed_auth_methods.html).

## Result

The next time a user signs on or performs an action that requires authentication, if they have a valid backup authentication method, they can click **Forgot Your Device?** and authenticate with a backup device.

![A screen capture of the PingID authentication screen, showing the Forgot Your Device? link.](_images/rwb1564020620703.png)

|   |                                                                                                                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | When the user clicks **Forgot Your Device?**, PingID sends a device change notification to the paired device and invalidates the original authentication request. To view the user flow, see [Authenticating using a backup device](http://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_ug_auth_using_backup_device.html). |