--- title: MFA bypass configuration requirements description: To bypass multi-factor authentication (MFA) prompts when managing devices, you must configure at least two adapters in your authentication policy. This is a validation requirement for the Bypass MFA For Device Management Attribute field, to guarantee the user has already completed MFA before reaching the device management step. component: pingone page_id: pingone:pingone_mfa_integration_kit:p1_mfa_ik_mfa_bypass_configuration_requirements canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/p1_mfa_ik_mfa_bypass_configuration_requirements.html revdate: July 14, 2025 section_ids: authentication-policy-requirements: Authentication policy requirements supported-adapter-combinations: Supported adapter combinations using-both-adapters-within-policy-fragments: Using both adapters within policy fragments --- # MFA bypass configuration requirements To bypass multi-factor authentication (MFA) prompts when managing devices, you must configure at least two adapters in your authentication policy. This is a validation requirement for the **Bypass MFA For Device Management Attribute** field, to guarantee the user has already completed MFA before reaching the device management step. ## Authentication policy requirements Your authentication policy must: * Include at least two adapters: 1. An authenticating adapter to perform MFA. 2. A device managing adapter, which must be a PingOne MFA IdP Adapter. * Invoke the authenticating adapter before the device managing adapter. ## Supported adapter combinations Use one of the following adapter combinations: 1. Two PingOne MFA IdP Adapters (preferred combination): * Authenticating Adapter: The first PingOne MFA IdP Adapter. This adapter performs MFA using PingOne MFA. * Device Managing Adapter: The second PingOne MFA IdP Adapter. This adapter manages devices. | | | | - | --------------------------------------------------------------------------------------------- | | | No additional configuration is necessary. The MFA completion status is handled automatically. | 2. A built-in PingFederate adapter and a PingOne MFA IdP Adapter: * Authenticating Adapter: The built-in PingFederate adapter, which must perform MFA or some sort of reassuring authentication. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The built-in PingFederate adapter must include an extended contract attribute named `pingone.mfa.status` with a value of `com.pingidentity.pingone.mfa_completed_externally`. | * Device Managing Adapter: The PingOne MFA IdP Adapter. This adapter uses the `pingone.mfa.status` attribute to verify that MFA was completed earlier in the flow. 3. A custom adapter and a PingOne MFA IdP Adapter: * Authenticating Adapter: The custom adapter, which must perform MFA or some sort of reassuring authentication. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------- | | | The custom adapter must set an attribute named `pingone.mfa.status` with a value of `com.pingidentity.pingone.mfa_completed_externally`. | * Device Managing Adapter: The PingOne MFA IdP Adapter. This adapter uses the `pingone.mfa.status` attribute to verify that MFA was completed earlier in the flow. ## Using both adapters within policy fragments If either or both adapters are wrapped inside policy fragments that are used in the main authentication policy, make sure that the authentication policy contract (APC) used as the output of the fragment includes the `pingone.mfa.status` attribute. This ensures that the `pingone.mfa.status` attribute propagates correctly throughout the fragment so the device managing adapter can access it for evaluation.