CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow

The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow lets users sign on, create a new account, or recover an account.

Purpose

The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow is the initial flow in the PingOne for Customers Passwordless solution. It enables existing users to sign on using a password, uses the CIAM-Passwordless-Protect-Account-Registration-Subflow flow to let new users register, uses the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow to let existing users recover their account, and uses the CIAM-Passwordless-Protect-Device-Authentication-Subflow flow to let existing users sign on using a known device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.

Check for Session

Uses a PingOne node to determine whether the user has an existing session.

If the user has an existing session, a hidden HTML node initiates the sk-risk component and a PingOne node retrieves user information, then the flow progresses to the PingOne Protect threat detection analysis section. When this section completes, the flow progresses to the Return Success section.

If the user does not have an existing session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Passwordless Sign On Page section.

Check if user is active

Uses a PingOne node to retrieve user information, then uses a series of comparison nodes to verify that the user is enabled, that the user can authenticate, and that the user’s account status is active. If the user information cannot be found or if a condition is not met, an error message is displayed. If the conditions are all met, the flow returns to the previous section.

Offer Passwordless Sign On Page

Uses a function node to check if passwordless is required.

If passwordless is not required, an HTML page is displayed in which the user can enter an email address. If the user submits the form, a PingOne node looks up the user.

If the user cannot be found, the flow progresses to the Call Account Recovery Sub-Flow section.
If the user is found, a function node checks if the user has a password. If the user doesn’t have a password, the flow progresses to the Check if user is active section. If the user has a password, an HTML node lets the user enter a password and click Continue, Forgot Password, or Back.

The flow then branches based on the user’s selection.

If the user clicks Continue, a PingOne node looks up the user, and a function node determines the date of the user’s last sign-on. The flow then progresses to the PingOne Protect threat detection analysis section. When this section completes, a function node checks whether the user is enabled. If the user is enabled, the flow progresses to the Password Authentication section.
If the user clicks Forgot Password, the flow progresses to the Call Account Recovery Sub-Flow section.
If the user clicks Back, the flow returns to the beginning of the Offer Passwordless Sign On Page section.

If passwordless is required, the flow progresses to the Require Passwordless Sign On Page section.

Require Passwordless Sign On Page

Presents the user with an HTML page on which to enter an email address and then click Sign On or Having Trouble Signing On?.

If the user clicks Sign On, a PingOne node searches for a user with the specified email address. The flow then progresses to the Call Device Authentication Sub-Flow if the user was found, and to the Call Account Registration Sub-Flow if the user wasn’t found.
If the user clicks Having Trouble Signing On?, the flow progresses to the Call Account Recovery Sub-Flow section.

Call Account Recovery Sub-Flow

Invokes the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.

Call Account Registration Sub-Flow

Invokes the CIAM-Passwordless-Protect-Account-Registration-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.

Call Device Authentication Sub-Flow

Uses a PingOne node to read the user’s MFA devices. If the user has no MFA devices, the flow progresses to the Offer Passwordless Sign On Page section. A function node checks the user’s last sign-on, then the flow progresses to the Check if user is active section. When that section completes, the CIAM-Passwordless-Protect-Device-Authentication-Subflow subflow is invoked.

A function node checks whether the user canceled authentication during the subflow. If the user canceled, the flow returns to the Offer Passwordless Sign On Page section. If the user didn’t cancel, the flow progresses to the FIDO2 Registration section. When this section completes, the flow progresses to the Call Check Agreement Sub-Flow section.

Password Authentication

Uses a PingOne node to validate the provided password.

If the password is validated successfully, the flow progresses to the FIDO2 Registration section. When this section completes, the flow progresses to the Start MFA Authentication section. When this section completes, a function node checks the user’s password status:
- If the user’s password status is OK, the flow progresses to the Check Agreement Sub-Flow section.
- If the user’s password status is MUST_CHANGE_PASSWORD or PASSWORD_EXPIRED, the flow progresses to the Call Change Password Sub-Flow section.
If the password isn’t validated successfully, an error message is displayed.

Call Change Password Sub-Flow

Invokes the CIAM-Passwordless-Protect-Change-Password-Subflow flow, then displays a success message and progresses to the Return Success section if the subflow completes successfully.

Call Check Agreement Sub-Flow

Invokes the CIAM-Passwordless-Protect-Agreement(ToS)-Subflow flow, then checks if verification is required. If so, the flow progresses to the Call Verify Email Sub-Flow section. If not, the flow progresses to the Handle Remember Me if Applicable section.

Call Verify Email Sub-Flow

Invokes the CIAM-Passwordless-Protect-Verify-Email-Subflow flow. When the subflow completes the flow progresses to the Handle Remember Me if Applicable section.

Handle Remember Me if Applicable

Adds Remember Me as an authentication method if it’s enabled, then progresses to the Return Success section.

PingOne Protect threat detection analysis

Uses a PingOne node to look up the user, then invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables. A function node then checks whether the device is known, and if not a PingOne node sends an email notification to the user.

A function node then examines the risk score.

If the risk score is low, a function node sets the isMFAAuthnRequired value to false. The flow then progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found.
If the risk score is medium, a function node sets the isMFAAuthnRequired value to true and a PingOne node retrieves the user’s MFA devices. The flow then progresses to the Start MFA Authentication section if a session was found, or returns to the Password Authentication section if no session was found.
If the risk score is high, the flow progresses to the Return Error section.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes send an email notification to the user informing them that their account is disabled and update the user’s status. The flow then progresses to the Return Error section.

Start MFA Authentication

Uses a function node to verify that MFA authentication is required. If MFA authentication is not required, the flow returns to the previous section. If MFA authentication is required, a PingOne node checks for existing devices and an HTML template checks the user’s browser for biometric and security key compatibility. Function nodes then filter the user’s usable devices and check for active devices.

If no active device is found, the flow progresses to the Register MFA Device section.
If at least one active device is found, the CIAM-Passwordless-Protect-Device-Authentication-Subflow is invoked. If the subflow completes successfully, the flow progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found. If the user canceled authentication during the subflow, the flow progresses to the Return Error section if a session was found, or to the Offer Passwordless Sign On Page section if no session was found.

Register MFA Device

Invokes the CIAM-Passwordless-Protect-Device-Registration-Subflow. If the subflow completes successfully, the flow progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found. If the user canceled authentication during the subflow, the flow progresses to the Return Error section if a session was found, or to the Offer Passwordless Sign On Page section if no session was found.

FIDO2 Registration

Uses function nodes to check if the user’s risk level is low and if the user’s last sign-on was within 30 days.

If either condition isn’t met, the flow returns to the previous section.

If both conditions are met, a PingOne node reads the user’s devices, and a function node confirms that FIDO2 is configured as an MFA device. A function node then checks if FIDO2 is required.

If FIDO2 isn’t required, the flow returns to the previous section.
If FIDO2 is required, function nodes verify that it’s allowed and enabled for the user.
- If both conditions are met, the CIAM-Passwordless-Protect-Device-Registration-Subflow flow is invoked, then the flow returns to the previous section.
- If either condition isn’t met, a function node checks if the user has at least one MFA device. If so, the flow returns to the previous section. If not, the CIAM-Passwordless-Protect-Device-Registration-Subflow flow is invoked, then the flow returns to the previous section.

Return Success

Checks to see if a session should be created. If so, it creates a session with a duration specified by a variable. If not, it creates a session with a duration of 1 minute. The flow then sends a success response, indicating that the flow completed successfully.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has no required or optional inputs.

Output schema

This flow has no outputs.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

Variable name	Parameter name	Description
`ciam_appleEnabled`	`isAppleEnabled`	Indicates whether authentication through Apple is enabled in your environment.
`ciam_facebookEnabled`	`isFacebookEnabled`	Indicates whether authentication through Facebook is enabled in your environment.
`ciam_googleEnabled`	`isGoogleEnabled`	Indicates whether authentication through Google is enabled in your environment.
`ciam_passwordlessRequired`	`isPasswordlessRequired`	Indicates whether passwordless authentication is required for sign-on.
`ciam_magicLinkEnabled`	`isEmailMagicLinkEnabled`	Indicates whether magic link is enabled in your environment.
`ciam_sessionLengthInMinute`	None	The maximum time a user can spend in the flow before it times out.
`ciam_logoStyle`	None	The HTML style to use for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_logoUrl`	None	The URL for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_companyName`	None	Displays the name of your company. This value is only used when the flow is launched with a redirect.
`ciam_accountRecoveryEnabled`	`isAccountRecoveryEnabled`	A boolean that controls whether account recovery is enabled in your environment.
`ciam_smsOtpEnabled`	`isSmsOTPEnabled`	A boolean indicating whether one-time passcode using sms is enabled in your environment.
`ciam_emailOtpEnabled`	`isEmailOTPEnabled`	A boolean indicating whether one-time passcode using email is enabled in your environment.
`ciam_fidoPasskeyEnabled`	`isFidoPasskeyEnabled`	A boolean indicating whether FIDO passkey is enabled in your environment.
`ciam_agreementEnabled`	`isTermsOfServiceEnabled`	A boolean indicating whether agreement is enabled in your environment.

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_passwordlessRequired

isPasswordlessRequired

Indicates whether passwordless authentication is required for sign-on.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_sessionLengthInMinute

None

The maximum time a user can spend in the flow before it times out.

ciam_logoStyle

None

The HTML style to use for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_logoUrl

None

The URL for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_companyName

None

Displays the name of your company.

This value is only used when the flow is launched with a redirect.

ciam_accountRecoveryEnabled

isAccountRecoveryEnabled

A boolean that controls whether account recovery is enabled in your environment.

ciam_smsOtpEnabled

isSmsOTPEnabled

A boolean indicating whether one-time passcode using sms is enabled in your environment.

ciam_emailOtpEnabled

isEmailOTPEnabled

A boolean indicating whether one-time passcode using email is enabled in your environment.

ciam_fidoPasskeyEnabled

isFidoPasskeyEnabled

A boolean indicating whether FIDO passkey is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.