--- title: Opt-out Multi-Factor Authentication node description: The Opt-out Multi-Factor Authentication node sets an attribute in the user's profile, which records their decision to skip multi-factor authentication (MFA) on the selected device. component: auth-node-ref version: latest page_id: auth-node-ref::opt-out-multi-factor canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/opt-out-multi-factor.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "Multi-factor Authentication (MFA)"] page_aliases: ["auth-node-opt-out-multi-factor.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/opt-out-multi-factor.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # Opt-out Multi-Factor Authentication node The Opt-out Multi-Factor Authentication node sets an attribute in the user's profile, which records their decision to skip multi-factor authentication (MFA) on the selected device. ## Example The following example shows one possible implementation of multi-factor push authentication, which uses this node: ![Multi-factor push authentication](_images/push-nodes-example.png) > **Collapse: Node connections** > > **List of node connections** > > | Source node | Outcome path | Target node | > | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------- | > | Page Node containing nodes to collect credentials.Implement a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) earlier in the journey. | → | Data Store Decision | > | Data Store Decision | True | Device Profile Collector | > | | False | Failure | > | Device Profile Collector | → | Push Sender | > | Push Sender | Sent | Push Wait | > | | Not Registered | MFA Registration Options | > | | Skipped | Success | > | Push Wait | Done | Push Result Verifier | > | | Exit | Recovery Code Collector Decision | > | Push Result Verifier | Success | Success | > | | Failure | Failure | > | | Expired | Push Sender | > | | Waiting | Push Wait | > | MFA Registration Options | Register | Push Registration | > | | Get App | Get Authenticator App | > | | Skip | Success | > | | Opt-out | Opt-out Multi-Factor Authentication | > | Recovery Code Collector Decision | True | Success | > | | False | Retry Limit Decision | > | Push Registration | Success | Recovery Code Display Node | > | | Failure | Failure | > | | Time Out | MFA Registration Options | > | Get Authenticator App | → | MFA Registration Options | > | Opt-out Multi-Factor Authentication | → | Success | > | Retry Limit Decision | Retry | Recovery Code Collector Decision | > | | Reject | Failure | > | Recovery Code Display Node | → | Push Sender | After verifying the user's credentials, evaluation continues to the [Device Profile Collector node](device-profile-collector.html) to collect the device's location and then proceeds to the [Push Sender node](push-sender.html). **If the user *has* a registered device:** 1. The [Push Sender node](push-sender.html) sends a push notification to their registered device. 2. The [Push Wait node](push-wait.html) pauses authentication for five seconds. During this time, the user can respond to the push notification on their device using an authenticator app. If the user exits the [Push Wait node](push-wait.html), they're directed to the [Recovery Code Collector Decision node](recovery-code-collector-decision.html), where they can enter a recovery code to authenticate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Configure the Exit Message property in the [Push Wait node](push-wait.html) with a message, such as `Lost phone? Use a recovery code` for situations like this. | A [Retry Limit Decision node](retry-limit-decision.html) allows three attempts to enter a recovery code before failing the authentication. 3. The [Push Result Verifier node](push-result-verifier.html) verifies the user's response: * If the user responds positively, they're authenticated successfully and logged in. * If the user responds negatively, authentication fails. * If the push notification expires, the [Push Sender node](push-sender.html) sends a new push notification. | | | | - | ----------------------------------------------------------------------------------------------------------------- | | | Use a [Retry Limit Decision node](retry-limit-decision.html) to constrain the number of times a new code is sent. | * If the user hasn't yet responded, the flow loops back a step and the [Push Wait node](push-wait.html) pauses authentication for another 5 seconds. **If the user *doesn't have* a registered device:** 1. The [MFA Registration Options node](mfa-registration-options.html) presents the user with the following options: * Register Device The flow continues to the [Push Registration node](push-registration.html), which displays a QR code for the user to scan with their authenticator app. * Get the App Displayed only if the node is configured to display Get Authenticator App. The flow continues to the [Get Authenticator App node](get-authenticator-app.html), which displays links to download the authenticator app. * Skip this step Displayed only if the node is configured to allow users to skip registration. In this example, skipping is linked to the `Success` outcome. However, you could provide an alternative authentication flow using an [Inner Tree Evaluator node](inner-tree-evaluator.html) for example. * Opt-out Displayed only if the node is configured to allow users to skip registration. Evaluation continues to the [Opt-out Multi-Factor Authentication node](opt-out-multi-factor.html), which updates the user's profile to skip MFA with push in the future. In this example, after updating the profile, the flow continues to the `Success` outcome. 2. The user registers the device with the [Push Registration node](push-registration.html). After registration, the [Recovery Code Display node](recovery-code-display.html) displays the recovery codes to the user and the flow returns to the [Push Sender node](push-sender.html) to continue push authentication. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To manage push devices, the user must log in using either the device or a recovery code.Find more information in [Manage devices for MFA](https://docs.pingidentity.com/pingoneaic/am-authentication/authn-mfa-devices.html). | ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs * This node requires the `realm` and `username` properties in the incoming node state. Implement a [Platform Username node](platform-username.html) earlier in the journey. * This node requires the `mfaMethod` in the incoming state to know what type of MFA device to update: * For push authentication, this node requires the `pushMessageId` in the incoming state, which is a unique ID to identify the push notification request. Implement a [Push Sender node](push-sender.html) earlier in the journey. * For OATH authentication, implement the [OATH Token Verifier node](oath-token-verifier.html) earlier in the journey. ## Dependencies This node has no dependencies. ## Configuration This node has no configurable properties. ## Outputs This node doesn't change the shared state. This node updates the user's profile with either the `push2faEnabled` or `oath2faEnabled` attribute to record their decision to opt out. These are the default attributes but they can be changed in the ForgeRock Authenticator (Push) service or the ForgeRock Authenticator (OATH) service. ## Callbacks This node doesn't send any callbacks. ## Outcomes Single outcome path. ## Errors The node can log the following errors: * `Expected username to be set` The node can't identify the user from the shared state. * `Expected MFA method to be set` The node can't identify the MFA method from the shared state. * `Unable to set user attribute as skippable` The node can't set the relevant attribute for the user's current device. * `Failed to get the identity object` The node can't read the identity of the account. * `Unsupported MFA method has been set` The node can't retrieve the device profile details or the user has an unsupported MFA method set.