--- title: Rule authentication actions description: The list of authentication actions that you can choose to enforce within a policy rule is determined by the authentication methods allowed at the policy level. component: pingid page_id: pingid:pingid_service_management:pid_rule_auth_actions canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_rule_auth_actions.html revdate: March 6, 2023 --- # Rule authentication actions The list of authentication actions that you can choose to enforce within a policy rule is determined by the authentication methods allowed at the policy level. **Rule authentication actions and deprecated actions** | Authentication Action | | Description | | ------------------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Approve** | | Approves access without requiring PingID authentication. This rule action cannot be used in a PingFederate passwordless flow, because at least one factor authentication is required to use the Approve action. | | **Authenticate** | | Allows a user to authenticate using any of the authentication methods available to the user and allowed at the policy level. If a user has a mobile app with both biometrics and swipe capabilities, biometrics authentication is given priority. | | **Authenticator app** | | Allows a user to authenticate using an authenticator app only, such as Google authenticator. | | **Deny** | | Denies access. | | **Desktop** | | Allows a user to authenticate using a desktop app only. | | **Email** | | Allows a user to authenticate using an email app only. | | **FIDO2 Biometrics** | | Allows a user to authenticate using device built in biometrics on a FIDO2 biometrics device. This option is only available for web-based policies. | | **Mobile App Biometrics** | | Allows a user to authenticate with the PingID mobile app using biometrics authentication only. This action works according to the biometrics configuration defined in the admin portal.Swipe authentication is also permitted if the following conditions are met:- If **Device Biometrics** is configured as **Enabled**, and biometrics are not defined on the user's device. - If **Device Biometrics** is not configured as **Require** in the admin configuration page. - If biometrics are not supported on the user's device. A one-time passcode fallback is also permitted when selecting this option. | | | DEPRECATED: **Fingerprint (with fallback)** | * If the primary or selected device is the PingID mobile app, fingerprint authentication is used according to the fingerprint configuration defined in the admin portal. Fingerprint is the preferred method, but it is also possible to authenticate using swipe or a one-time passcode (OTP). * If the primary or selected device is not the PingID mobile app, the user authenticates with that device. | | **Number matching** | | Authenticate by number matching is permitted.* Number matching has priority over**Mobile App Biometrics** and**Swipe** authentication methods. * If **Mobile app biometrics** is set to **Require** in the **Configuration** tab, the user must authenticate successfully using biometrics and then authenticate using number matching. | | **Oath Token** | | Allows a user to authenticate using an OATH token only. | | **One-time passcode** | **One-time passcode (required)** | Allows a user to authenticate using a OTP obtained from the PingID mobile app only. | | | DEPRECATED:**One-time passcode (with fallback)** | - If the primary or selected device is the PingID mobile app, the user must enter an OTP using the mobile app. Swipe or fingerprint authentication is not permitted in this case.- If the primary or selected device is not the PingID mobile app, the user authenticates with that device. | | **SMS** | | Allows a user to authenticate using a passcode obtained by SMS only. | | **Security Key** | | Allows a user to authenticate using a security key only. This option is only available for web-based policies. | | **Swipe** | **Swipe (required)** | Allows a user to authenticate using the PingID mobile app swipe action only. A OTP fallback is also possible when selecting this option. | | | DEPRECATED: **Swipe (with fallback)** | * If the primary or selected device is the PingID mobile app, swipe is always required. Even if the user has fingerprint authentication defined on their device, fingerprint is not required in this case.* If the primary or selected device is not the PingID mobile app, the user authenticates with that device. | | **Voice** | | Allows a user to authenticate using a passcode obtained by a voice message only. | | **YubiKey** | | Allows a user to authenticate using a YubiKey only. |