--- title: MFA Registration Options node description: The MFA Registration Options node lets the user register a multi-factor authentication (MFA) device or skip the registration process. component: auth-node-ref version: latest page_id: auth-node-ref::mfa-registration-options canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/mfa-registration-options.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "Multi-factor Authentication (MFA)"] page_aliases: ["auth-node-mfa-registration-options.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/mfa-registration-options.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # MFA Registration Options node The MFA Registration Options node lets the user register a multi-factor authentication (MFA) device or skip the registration process. ## Example The following example shows one possible implementation of multi-factor push authentication, which uses this node: ![Multi-factor push authentication](_images/push-nodes-example.png) > **Collapse: Node connections** > > **List of node connections** > > | Source node | Outcome path | Target node | > | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------- | > | Page Node containing nodes to collect credentials.Implement a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) earlier in the journey. | → | Data Store Decision | > | Data Store Decision | True | Device Profile Collector | > | | False | Failure | > | Device Profile Collector | → | Push Sender | > | Push Sender | Sent | Push Wait | > | | Not Registered | MFA Registration Options | > | | Skipped | Success | > | Push Wait | Done | Push Result Verifier | > | | Exit | Recovery Code Collector Decision | > | Push Result Verifier | Success | Success | > | | Failure | Failure | > | | Expired | Push Sender | > | | Waiting | Push Wait | > | MFA Registration Options | Register | Push Registration | > | | Get App | Get Authenticator App | > | | Skip | Success | > | | Opt-out | Opt-out Multi-Factor Authentication | > | Recovery Code Collector Decision | True | Success | > | | False | Retry Limit Decision | > | Push Registration | Success | Recovery Code Display Node | > | | Failure | Failure | > | | Time Out | MFA Registration Options | > | Get Authenticator App | → | MFA Registration Options | > | Opt-out Multi-Factor Authentication | → | Success | > | Retry Limit Decision | Retry | Recovery Code Collector Decision | > | | Reject | Failure | > | Recovery Code Display Node | → | Push Sender | After verifying the user's credentials, evaluation continues to the [Device Profile Collector node](device-profile-collector.html) to collect the device's location and then proceeds to the [Push Sender node](push-sender.html). **If the user *has* a registered device:** 1. The [Push Sender node](push-sender.html) sends a push notification to their registered device. 2. The [Push Wait node](push-wait.html) pauses authentication for five seconds. During this time, the user can respond to the push notification on their device using an authenticator app. If the user exits the [Push Wait node](push-wait.html), they're directed to the [Recovery Code Collector Decision node](recovery-code-collector-decision.html), where they can enter a recovery code to authenticate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Configure the Exit Message property in the [Push Wait node](push-wait.html) with a message, such as `Lost phone? Use a recovery code` for situations like this. | A [Retry Limit Decision node](retry-limit-decision.html) allows three attempts to enter a recovery code before failing the authentication. 3. The [Push Result Verifier node](push-result-verifier.html) verifies the user's response: * If the user responds positively, they're authenticated successfully and logged in. * If the user responds negatively, authentication fails. * If the push notification expires, the [Push Sender node](push-sender.html) sends a new push notification. | | | | - | ----------------------------------------------------------------------------------------------------------------- | | | Use a [Retry Limit Decision node](retry-limit-decision.html) to constrain the number of times a new code is sent. | * If the user hasn't yet responded, the flow loops back a step and the [Push Wait node](push-wait.html) pauses authentication for another 5 seconds. **If the user *doesn't have* a registered device:** 1. The [MFA Registration Options node](mfa-registration-options.html) presents the user with the following options: * Register Device The flow continues to the [Push Registration node](push-registration.html), which displays a QR code for the user to scan with their authenticator app. * Get the App Displayed only if the node is configured to display Get Authenticator App. The flow continues to the [Get Authenticator App node](get-authenticator-app.html), which displays links to download the authenticator app. * Skip this step Displayed only if the node is configured to allow users to skip registration. In this example, skipping is linked to the `Success` outcome. However, you could provide an alternative authentication flow using an [Inner Tree Evaluator node](inner-tree-evaluator.html) for example. * Opt-out Displayed only if the node is configured to allow users to skip registration. Evaluation continues to the [Opt-out Multi-Factor Authentication node](opt-out-multi-factor.html), which updates the user's profile to skip MFA with push in the future. In this example, after updating the profile, the flow continues to the `Success` outcome. 2. The user registers the device with the [Push Registration node](push-registration.html). After registration, the [Recovery Code Display node](recovery-code-display.html) displays the recovery codes to the user and the flow returns to the [Push Sender node](push-sender.html) to continue push authentication. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To manage push devices, the user must log in using either the device or a recovery code.Find more information in [Manage devices for MFA](https://docs.pingidentity.com/pingoneaic/am-authentication/authn-mfa-devices.html). | ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs * This node requires a `username` in the incoming node state to identify which user to update. Implement a [Platform Username node](platform-username.html) earlier in the journey. * This node requires the `mfaMethod` in the incoming state to know what type of MFA device to register: * For push authentication, this node requires the `pushMessageId` in the incoming state, which is a unique ID to identify the push notification request. Implement a [Push Sender node](push-sender.html) earlier in the journey. * For OATH authentication, implement the [OATH Token Verifier node](oath-token-verifier.html) earlier in the journey. ## Dependencies This node has no dependencies. ## Configuration | Property | Usage | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Remove 'skip' option | Select this option to make it mandatory for the user to register a device. When selected, the Skip this Step and Opt-out buttons aren't displayed.When disabled, the user can skip device registration or opt-out if required. | | Display Get Authenticator App | Select this option to display the Get the App button. | | Message | (Optional) Add a custom, localized message to display to the user with instructions on interacting with this node:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `On this page you can choose to register, skip or opt-out the second factor authentication method selected to protect your account. If you "Skip", an MFA method will not be registered now, but you will be prompted again on your next login. Otherwise, if you "Opt out", an MFA method will not be registered now and you will not be asked again. This choice is not recommended.` | | Register Device | (Optional) Add custom, localized text to display on the button the user can click to register their device:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Register Device` | | Get Authenticator App | (Optional) Add custom, localized text to display on the button the user can click to get the authenticator app:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Get the App` | | Skip this Step | (Optional) Add custom, localized text to display on the button the user can click to skip registering their device:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Skip this step` | | Opt-out | (Optional) Add custom, localized text to display on the button the user can click to opt out of registering their device:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Opt-out` This node doesn't update the user's profile with the opt-out decision. Use the Opt-out outcome in an Opt-out Multi-Factor Authentication node to persist the decision in the user's profile. | (1) Specify a [locale that Java supports](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/Locale.html), such as `en-gb`. Otherwise, the node throws a configuration exception with an `Invalid locale provided` message. ## Outputs This node doesn't change the shared state. ## Callbacks The node sends the following callbacks: * `TextOutputCallback` Contains the Message. * `ConfirmationCallback` Contains the configured MFA registration options and corresponding button text. Learn more in [Supported callbacks](https://docs.pingidentity.com/pingoneaic/am-authentication/callbacks-supported.html). ## Outcomes * `Register` The user chooses to register an MFA device. * `Get App` The user chooses to get the authenticator app. * `Skip` The user chooses to skip registering an MFA device this time. * `Opt-out` The user chooses to opt-out of registering an MFA device. ## Errors The node can log the following errors: * `Expected username to be set` The node can't identify the user from the shared state. * `Expected multi-factor authentication method to be set` The node can't identify the MFA method from the shared state.