PingOne

PingOne MFA Integration Kit 2.4 (August 2024)

Use basic velocity template variables in the PingOne MFA templates

New P14C-57293

Made basic variables that are available in most PingFederate HTML templates available in the PingOne MFA templates.

Pair and authenticate a test device

New P14C-58742

Added the ability to pair a test device when adding a multi-factor authentication method and authenticating with it. A test device causes an OTP to be returned directly in the OTP_REQUIRED response.

Test devices are supported only when initiating OpenID Connect (OIDC) flow in the authentication API.

To pair and authenticate with a test device, you must:

  1. Add the pi.testDevice parameter to the OIDC request with a value of allow.

  2. Sign the request object with your OIDC client credentials.

  3. When submitting the device target in the authentication API request, add the testMode field to the request with a value of true.

    This applies to the following action models: submitEmailTarget, submitSmsTarget, or submitVoiceTarget. Learn more in Models, objects, and error codes.

Use dynamic linking to give a unique identifier to a FIDO authentication attempt

New P14C-58753

Added the ability to use a custom challenge when authenticating with FIDO (webAuthn) devices. This enables you to attach meaningful information to the authentication of a FIDO device.

To provide a custom challenge for FIDO authentication, you must:

  1. Add the pi.webAuthn.challenge parameter to the OIDC request with the custom challenge as the value.

  2. Sign the request object with your OIDC client credentials.

Rename device during pairing

Improved P14C-52773

Added the ability to give a device a unique nickname during device pairing:

  • Use the PingOne administrative console to configure this setting in the PingOne MFA policy.

  • After you configure the ability to rename devices, users will be presented with a new screen before authentication ends. The user can either enter a nickname and click Done to complete the process, or click Skip if they do not want to give the device a nickname.

  • If you are using the authentication API, a new state (UPDATE_NICKNAME) and two new actions (updateDeviceNickname and skipUpdateDeviceNickname) are available. Learn more in Models, objects, and error codes.

View remaining OTP attempts in HTML templates and authentication API responses

Improved P14C-57444

Added the ability to view the number of one-time passcode (OTP) attempts remaining after entering an invalid OTP.

  • In authentication API responses, the attemptsRemaining field displays this information.

  • In HTML templates that require an OTP, the following error message appears:

This passcode is invalid or has expired. You have  <number_of_attempts>  attempts remaining.

Bypass MFA for device management operations

Improved P14C-60088

Added the ability to bypass MFA when performing device management operations. Be cautious with using this attribute if you only have one adapter in the authentication policy. This results in bypassing MFA in the authentication flow entirely, and can lead to a security breach.

Additionally, the Bypass MFA For Device Pairing Attribute field is now the Bypass MFA For Device Management Attribute field.

Learn more in the PingOne MFA IdP Adapter settings reference.

Overwrite only specific authentication methods

Improved P14C-62072

Added the ability to overwrite only the devices that share a device type with a newly provided device if the adapter identifies new values for SMS, voice or email devices via Update Authentication Methods.

Additionally, the Overwrite Authentication Methods checkbox is now the Overwrite Authentication Methods Configurations list.

There are three Overwrite Authentication Methods Configurations settings:

  • None (default)

  • All (SMS, Voice, and Email)

  • Specific Methods

Learn more in the PingOne MFA IdP Adapter settings reference.

Fixed default method persistence

Fixed P14C-55013

Fixed an issue that caused Overwrite Authentication Methods (now Overwrite Authentication Methods Configurations) to change the default device designation. This was applicable when a new device of the same type as the default device was provided, and the default device was overwritten.

Fixed empty device nickname issue

Fixed P14C-58407

Fixed an issue that caused devices to save with an empty nickname instead of reverting to the default device name. This was applicable in configurations where Allow Users to Manage Authentication Methods was selected, if a user clicked Edit Name but cleared the field.

Fixed an issue with FIDO usernameless authentication flow ignoring the PingOne authentication policy

Fixed P14C-60584

Fixed an issue that caused the adapter to always use the default multi-factor authentication (MFA) policy in FIDO usernameless authentication flow instead of the PingOne MFA policy configured in the PingOne Authentication Policy field.

Fixed device registration limit issue with MFA bypass in the authentication API

Fixed P14C-61122

Fixed an issue that caused users who had already exceeded the device registration limit to proceed several steps into device registration flow before the flow failed instead of presenting the MAXIMUM_ALLOWED_METHODS_LIMIT error message at the beginning of the flow. This issue was relevant to configurations that had the Bypass MFA for Device Pairing Attribute checkbox (now Bypass MFA For Device Management Attribute) selected.