--- title: Models, objects, and error codes description: When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API), the adapter uses the following state models, action models, objects, and error codes: component: pingone page_id: pingone:pingone_mfa_integration_kit:pf-p1-mfa-ik-models-objects-and-error-codes canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf-p1-mfa-ik-models-objects-and-error-codes.html revdate: October 14, 2025 section_ids: state-models: State models assertion_required: ASSERTION_REQUIRED authentication_code_response_required: AUTHENTICATION_CODE_RESPONSE_REQUIRED authentication_required: AUTHENTICATION_REQUIRED biometric_device_authentication_info_required: BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED device_pairing_method_required: DEVICE_PAIRING_METHOD_REQUIRED device_selection_required: DEVICE_SELECTION_REQUIRED update_nickname: UPDATE_NICKNAME email_activation_required: EMAIL_ACTIVATION_REQUIRED email_pairing_target_required: EMAIL_PAIRING_TARGET_REQUIRED mfa_completed: MFA_COMPLETED mfa_device_pairing_method_failed: MFA_DEVICE_PAIRING_METHOD_FAILED mfa_failed: MFA_FAILED mfa_setup_required: MFA_SETUP_REQUIRED mobile_activation_required: MOBILE_ACTIVATION_REQUIRED mobile_pairing_required: MOBILE_PAIRING_REQUIRED one_time_device_otp_method_type_input_required: ONE_TIME_DEVICE_OTP_METHOD_TYPE_INPUT_REQUIRED one_time_device_otp_input_required: ONE_TIME_DEVICE_OTP_INPUT_REQUIRED one_time_device_otp_required: ONE_TIME_DEVICE_OTP_REQUIRED otp_required: OTP_REQUIRED push_confirmation_rejected: PUSH_CONFIRMATION_REJECTED push_confirmation_timed_out: PUSH_CONFIRMATION_TIMED_OUT push_confirmation_waiting: PUSH_CONFIRMATION_WAITING fido2_activation_required: FIDO2_ACTIVATION_REQUIRED security_key_activation_required: SECURITY_KEY_ACTIVATION_REQUIRED platform_activation_required: PLATFORM_ACTIVATION_REQUIRED sms_activation_required: SMS_ACTIVATION_REQUIRED sms_pairing_target_required: SMS_PAIRING_TARGET_REQUIRED totp_activation_required: TOTP_ACTIVATION_REQUIRED voice_activation_required: VOICE_ACTIVATION_REQUIRED voice_pairing_target_required: VOICE_PAIRING_TARGET_REQUIRED whatsapp_activation_required: WHATSAPP_ACTIVATION_REQUIRED whatsapp_pairing_target_required: WHATSAPP_PAIRING_TARGET_REQUIRED oath_token_pairing_target_required: OATH_TOKEN_PAIRING_TARGET_REQUIRED oath_token_activation_required: OATH_TOKEN_ACTIVATION_REQUIRED device_management: DEVICE_MANAGEMENT evaluate_remember_me_device: EVALUATE_REMEMBER_ME_DEVICE manage_remember_me_device: MANAGE_REMEMBER_ME_DEVICE remember-me-user-consent-required: REMEMBER_ME_USER_CONSENT_REQUIRED action-models: Action models checkassertion: checkAssertion selectdevice: selectDevice cancelauthentication: cancelAuthentication managedevices: manageDevices poll: poll authenticate: authenticate continuebiometricdeviceauthentication: continueBiometricDeviceAuthentication selectdevicepairingmethod: selectDevicePairingMethod canceldevicepairing: cancelDevicePairing usepasswordauthentication: usePasswordAuthentication skipupdatedevicenickname: skipUpdateDeviceNickname updatedevicenickname: updateDeviceNickname activateemaildevice: activateEmailDevice resendotp: resendOtp submitemailtarget: submitEmailTarget continueauthentication: continueAuthentication setupmfa: setupMfa skipmfa: skipMfa selectonetimedevicemethod: selectOneTimeDeviceMethod checkotp: checkOtp activatefido2device: activateFido2Device activatesecuritykeydevice: activateSecurityKeyDevice activateplatformdevice: activatePlatformDevice activatesmsdevice: activateSmsDevice submitsmstarget: submitSmsTarget activatetotpdevice: activateTotpDevice activatevoicedevice: activateVoiceDevice submitvoicetarget: submitVoiceTarget activatewhatsappdevice: activateWhatsAppDevice submitwhatsapptarget: submitWhatsAppTarget setdefaultdevice: setDefaultDevice removedevice: removeDevice resumeauthentication: resumeAuthentication submitoathtokentarget: submitOathTokenTarget activateoathtokendevice: activateOathTokenDevice resyncoathtoken: resyncOathToken submit-device-info: submitDeviceInformation submitremembermeuserconsent: submitRememberMeUserConsent objects: Objects device-object: Device object lock-object: Lock object notification-object: Notification object application-object: Application object client-context-object: ClientContext object lifetime-object: LifeTime object user-object: User object resource-ref-object: ResourceRef object public-key-credential-request-options-object: PublicKeyCredentialRequestOptions object allow-credentials-object: AllowCredentials object device-pairing-method-object: DevicePairingMethod object one-time-device-info-object: OneTimeDeviceInfo object one-time-device-for-response-object: OneTimeDeviceForResponse object number-matching-object: NumberMatching object rp-object: RelyingParty object submit-device-info-request-object: SubmitDeviceInformationRequest remember-me-user-consent: SubmitRememberMeUserConsentRequest error-codes: Error codes top-level-error-codes: Top level error codes detail-level-error-codes: Detail level error codes mfa-failed-codes: MFA_FAILED codes --- # Models, objects, and error codes When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*, the adapter uses the following state models, action models, objects, and error codes: ## State models | | | | - | ------------------------------------------------------------------------------------------------ | | | The first state the adapter returns is either `AUTHENTICATION_REQUIRED` or `ASSERTION_REQUIRED`. | ### `ASSERTION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `publicKeyCredentialRequestOptions` (PublicKeyCredentialRequestOptions) > > > > The `PublicKeyCredentialRequestOptions` object containing data necessary to generate an assertion. Refer to the [PublicKeyCredentialRequestOptions object](#public-key-credential-request-options-object) table. > > > > * `manualPairing` (boolean) > > > > Indicates whether the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `manageDevicesAllowed` (boolean) > > > > Indicates whether the user can add or remove MFA devices at this stage in the authentication flow. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > **Collapse: Actions** > > > > * `checkAssertion` > > > > * `selectDevice` > > > > * `cancelAuthentication` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates that authentication is required. ### `AUTHENTICATION_CODE_RESPONSE_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `authenticationCodeId` (string) > > > > A string that specifies the code request ID. > > > > * `code` (string) > > > > A string that specifies the code. The code is eight characters in length, and it can include numbers and uppercase letters. > > > > * `uri` (string) > > > > A string that specifies a universal link such as https\://www\.example.com/pingonesdk?authentication\_code={{generated token}}). > > > > This property can also set a link to a schema application such as pingoneapp\://pingonesdk?authentication\_code={{generated token}}). > > > > If a universal link or schema application link is not set, the response does not include the pingonesdk?authentication\_code={{generated token}} portion of the URL. > > > > * `userApproval` (string) > > > > An enumeration that specifies whether the mobile device must verify that the user approves the authentication with the scanned code. Options are `REQUIRED` and `NOT_REQUIRED`. > > > > * `expiresAt` (string) > > > > A date that specifies the expiration time of authentication code. > > > > * `updatedAt` (string) > > > > A date that specifies when the resource was last updated. > > > > * `createdAt` (string) > > > > A date that specifies when the resource was created. > > > > * `application` (Application) > > > > Mobile application information. Refer to the [Application object](#application-object) table. > > > > * `clientContext` (ClientContext) > > > > Provides relevant information to the mobile application that can be shown to application users. Refer to the [ClientContext object](#client-context-object) table. > > > > * `lifeTime` (LifeTime) > > > > Specifies the length of time for this authentication code to be valid. Refer to the [LifeTime object](#lifetime-object) table. > > > > * `requestStatus` (string) > > > > A string that specifies the status of the authentication code. Options are `UNCLAIMED` or `CLAIMED`. > > > **Collapse: Actions** > > > > * `poll` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must complete MFA using an authentication code. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | There might be values that you want the client to pass to PingFederate for step-up authentication and transaction approval, such as an SMS message or an email configuration type. However, these values cannot be sent using the PingFederate Authentication API because of security concerns. You can find information on the available parameters and instructions for sending them to PingFederate in [Transaction approval setup](pf_p1_mfa_ik_transaction_approval_setup.html). | ### `AUTHENTICATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > **Collapse: Actions** > > > > * `authenticate` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > Indicates that authentication is required. ### `BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no model. > > > **Collapse: Actions** > > > > * `continueBiometricDeviceAuthentication` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must provide the server name where the fetch originates. ### `DEVICE_PAIRING_METHOD_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devicePairingMethods` (array\[DevicePairingMethod]) > > > > The list of available device pairing methods for MFA. Refer to the [DevicePairingMethod object](#device-pairing-method-object) table. > > > **Collapse: Actions** > > > > * `selectDevicePairingMethod` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must select a device type for MFA to proceed. ### `DEVICE_SELECTION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `maxAllowedDevices` (integer) > > > > Indicates the maximum number of devices and authentication methods that can be added. > > > > * `manualPairing` (boolean) > > > > Indicates whether the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `newPairingAuthRequired` (boolean) > > > > Indicates whether authentication is necessary to pair a new device. Learn more in [Overview of the automatic device pairing flow](pf_p1_mfa_ik_overview_of_the_automatic_device_pairing_flow.html). > > > > * `manageDevicesAllowed` (boolean) > > > > Indicates whether the user can add or remove MFA devices at this stage in the authentication flow. > > > > * `manageDeviceRequested` (boolean) > > > > Indicates whether the user initiated device management from authentication state. > > > > * `deviceManagementState` (boolean) > > > > Indicates whether the user is eligible to manage their devices. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > > * `usePasswordAuthenticationEnabled` (boolean) > > > > Indicates whether password authentication is enabled. Learn more in the **Use Password Config Attribute** table entry in [PingOne MFA IdP Adapter settings reference](pf_p1_mfa_ik_p1_mfa_idp_adapter_settings_reference.html). > > > **Collapse: Actions** > > > > * `cancelAuthentication` > > > > * `selectDevice` > > > > * `usePasswordAuthentication` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates that device selection is required, and that the user has more than one device. ### `UPDATE_NICKNAME` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no model. > > > **Collapse: Actions** > > > > * `skipUpdateDeviceNickname` > > > > * `updateDeviceNickname` > > > **Collapse: Description** > > > > The user can nickname their device before completing device pairing. ### `EMAIL_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `otp` (string) > > > > When `testMode` is true, the response contains and returns an OTP. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `notification` (Notification) > > > > Indicates the time until which the user must wait before being allowed to resend the OTP. > > > > * `email` (string) > > > > The user's specified email address for MFA. > > > **Collapse: Actions** > > > > * `activateEmailDevice` > > > > * `resendOtp` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their email activation code to complete the device pairing. ### `EMAIL_PAIRING_TARGET_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `allowedValue` (string) > > > > If empty, a user can enter any email or phone number. Otherwise, only a pre-defined email or phone number is allowed. > > > **Collapse: Actions** > > > > * `submitEmailTarget` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit an email address for MFA. ### `MFA_COMPLETED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `code` (string) > > > > The success code. Learn more in [PingOne MFA status attributes reference](pf_p1_mfa_ik_p1_mfa_status_attributes_reference.html). > > > **Collapse: Actions** > > > > * `continueAuthentication` > > > **Collapse: Description** > > > > Indicates a successful multi-factor authentication (MFA) *(tooltip: \
> > \

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

> > \
)* attempt. The API client must call `continueAuthentication` in order to progress in the flow, and to complete it. ### `MFA_DEVICE_PAIRING_METHOD_FAILED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `code` (string) > > > > The error code. > > > > * `message` (string) > > > > The developer-facing error message. > > > > * `userMessage` (string) > > > > The user-facing error message. > > > **Collapse: Actions** > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The device pairing method has failed. The device integrity check determined that the device is jailbroken (iOS) or rooted (Android). ### `MFA_FAILED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `code` (string) > > > > The error code. > > > > * `message` (string) > > > > The developer-facing error message. > > > > * `userMessage` (string) > > > > The user-facing error message. > > > > * `secondsUntilUnlock` (integer) > > > > The number of seconds until the account is automatically unlocked. Applies only when the account is locked. > > > > | | | > > | - | ----------------------------------------------------------------------------------- | > > | | You can find more information in the [`MFA_FAILED` codes](#mfa-failed-codes) table. | > > > **Collapse: Actions** > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > Indicates a dead end. The API client can proceed in the flow by calling `cancelAuthentication`. The adapter will return a FAILURE status. ### `MFA_SETUP_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no model. > > > **Collapse: Actions** > > > > * `setupMfa` > > > > * `skipMfa` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must set up a device for MFA. ### `MOBILE_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `applicationName` (string) > > > > The name of the native application associated with this device. > > > > * `pairingKey` (string) > > > > The pairing key used to pair the mobile device. > > > **Collapse: Actions** > > > > * `poll` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must activate their mobile device to complete the device pairing. ### `MOBILE_PAIRING_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `serverPayload` (string) > > > > The PingOne ID token. > > > > The server payload is a data package created by the SDK server, which should be passed to the SDK component in the customer mobile application. It contains instructions for pairing. > > > **Collapse: Actions** > > > > * `continueAuthentication` > > > **Collapse: Description** > > > > Indicates that mobile pairing is required. ### `ONE_TIME_DEVICE_OTP_METHOD_TYPE_INPUT_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[OneTimeDeviceInfo]) > > > > The list of all one-time device OTP objects. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > **Collapse: Actions** > > > > * `selectOneTimeDeviceMethod` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must select the one-time device from the list to proceed ahead with authentication flow. ### `ONE_TIME_DEVICE_OTP_INPUT_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[OneTimeDeviceForResponse]) > > > > The list of all one-time device OTP objects. > > > > * `selectedDevice` (OneTimeDeviceForResponse) > > > > Refer to the [OneTimeDeviceForResponse object](#one-time-device-for-response-object) table. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `notification` (Notification) > > > > Indicates the time until which the user must wait before being allowed to resend the OTP. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication > > > **Collapse: Actions** > > > > * `checkOtp` > > > > * `selectOneTimeDeviceMethod` > > > > * `resendOtp` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > Indicates that OTP is required. This state is returned when the user is prompted to provide an OTP. The OTP is sent to the user in an SMS, voice call, or email. ### `ONE_TIME_DEVICE_OTP_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `otp` (string) > > > > The OTP used for MFA. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `manageDevicesAllowed` (boolean) > > > > Indicates whether the user can add or remove MFA devices at this stage in the authentication flow. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > > * `manualPairing` (boolean) > > > > Indicates whether the user has initiated the MFA pairing process. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > **Collapse: Actions** > > > > * `checkOtp` > > > > * `selectDevice` > > > > * `resendOtp` > > > > * `manageDevices` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > Indicates that one-time passcode (OTP) *(tooltip: \
> > \

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

> > \
)* is required. This state is returned when the user is prompted to provide an OTP. > > > > The OTP is sent to the user in an SMS, voice call, or email. > > > > | | | > > | - | ------------------------------------------------- | > > | | To resend the OTP, use the `selectDevice` action. | ### `OTP_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `otp` (string) > > > > The OTP used for MFA. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `manualPairing` (boolean) > > > > Indicates the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `manageDevicesAllowed` (boolean) > > > > Indicates whether the user can add or remove MFA devices at this stage in the authentication flow. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > **Collapse: Actions** > > > > * `cancelAuthentication` > > > > * `checkOtp` > > > > * `selectDevice` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates that OTP *(tooltip: \
> > \

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

> > \
)* is required. This state is returned when the user is prompted to provide an OTP. The OTP is either: > > > > * Sent to the user in an SMS, voice call, or email. > > > > * Displayed in the user's authenticator app. > > > > | | | > > | - | ------------------------------------------------- | > > | | To resend the OTP, use the `selectDevice` action. | ### `PUSH_CONFIRMATION_REJECTED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `reason` (string) > > > > The reason why the push confirmation was rejected. Possible values: > > > > * `DENIED_BY_USER` > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `manualPairing` (boolean) > > > > Indicates the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > **Collapse: Actions** > > > > * `cancelAuthentication` > > > > * `selectDevice` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates that the user rejected the push notification. ### `PUSH_CONFIRMATION_TIMED_OUT` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `manualPairing` (boolean) > > > > Indicates the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > **Collapse: Actions** > > > > * `cancelAuthentication` > > > > * `selectDevice` > > > > * `checkOtp` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates a push timeout state. ### `PUSH_CONFIRMATION_WAITING` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `devices` (array\[Device]) > > > > The list of all devices associated with the user. Refer to the [Device object](#device-object) table. > > > > * `user` (User) > > > > A user. Refer to the [User object](#user-object) table. > > > > * `selectedDeviceRef` (ResourceRef) > > > > A reference to a resource using an identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > > * `numberMatching `(NumberMatching) > > > > Represents the configuration for mobile authentication number matching. Refer to the [NumberMatching object](#number-matching-object) table. > > > > * `manualPairing` (boolean) > > > > Indicates the user has initiated the MFA pairing process. > > > > * `userSelectedDefault` (boolean) > > > > Indicates whether the **Method Selection** list in the PingOne MFA policy is set to **User selected default** device, **Prompt user to select**, or **Always display devices**. > > > > * `changeDevicePermitted` (boolean) > > > > Indicates whether the user can switch devices used for authentication. > > > > * `manageDevicesAllowed` (boolean) > > > > Indicates whether the user can add or remove MFA devices at this stage in the authentication flow. > > > > * `manualPairingPermitted` (boolean) > > > > Indicates whether manual pairing is permitted at this stage in the authentication flow. > > > **Collapse: Actions** > > > > * `poll` > > > > * `cancelAuthentication` > > > > * `selectDevice` > > > > * `checkOtp` > > > > * `manageDevices` > > > **Collapse: Description** > > > > Indicates that a push was sent to the user. > > > > | | | > > | - | ------------------------------------------------------------------------------------------------- | > > | | To get the final push confirmation state, the API client can either call the poll, or call `GET`. | ### FIDO2\_ACTIVATION\_REQUIRED > **Collapse: State details** > > > **Collapse: Response model** > > > > * `relyingParty` (RelyingParty) > > > > A relying party. Refer to the [RelyingParty object](#rp-object) table. > > > > * `publicKeyCredentialCreationOptions` (string) > > > > A JSON serialization of the client data returned for registering a FIDO2 device. > > > **Collapse: Actions** > > > > * `activateFido2Device` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must pair their FIDO2 device with the browser to complete the pairing. ### `SECURITY_KEY_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `relyingParty` (RelyingParty) > > > > A relying party. Refer to the [RelyingParty object](#rp-object) table. > > > > * `publicKeyCredentialCreationOptions` (string) > > > > A JSON serialization of the client data returned for registering a FIDO2 device. > > > **Collapse: Actions** > > > > * `activateSecurityKeyDevice` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must pair their security key with the browser to complete the device pairing. ### `PLATFORM_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `relyingParty` (RelyingParty) > > > > A relying party. Refer to the [RelyingParty object](#rp-object) table. > > > > * `publicKeyCredentialCreationOptions` (string) > > > > A JSON serialization of the client data returned for registering a FIDO2 device. > > > **Collapse: Actions** > > > > * `activatePlatformDevice` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must pair their biometrics with the browser to complete the device pairing. ### `SMS_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `otp` (string) > > > > When `testMode` is true, the response contains and returns an OTP. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `notification` (Notification) > > > > Indicates the time until which the user must wait before being allowed to resend the OTP. > > > > * `phone` (string) > > > > The user's specified phone number for MFA. > > > **Collapse: Actions** > > > > * `activateSmsDevice` > > > > * `resendOtp` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their SMS activation code to complete the device pairing. ### `SMS_PAIRING_TARGET_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `allowedValue` (string) > > > > If empty, a user can enter any email or phone number. Otherwise, only a pre-defined email or phone number is allowed. > > > **Collapse: Actions** > > > > * `submitSmsTarget` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit a phone number for MFA. ### `TOTP_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `pairingKey` (string) > > > > The pairing key used to pair the mobile device. > > > > * `keyUri` (string) > > > > The URI format of the QR code. > > > **Collapse: Actions** > > > > * `activateTotpDevice` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their authenticator activation code to complete the Time-based One-Time Password (TOTP) *(tooltip: \
> > \

A temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Typically, an app or hardware token generates a 6-digit passcode that is valid for less than 1 minute.\

> > \
)* device pairing. ### `VOICE_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `otp` (string) > > > > When `testMode` is true, the response contains and returns an OTP. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `notification` (Notification) > > > > Indicates the time until which the user must wait before being allowed to resend the OTP. > > > > * `phone` (string) > > > > The user's specified phone number for MFA. > > > **Collapse: Actions** > > > > * `activateVoiceDevice` > > > > * `resendOtp` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their voice activation code to complete the device pairing. ### `VOICE_PAIRING_TARGET_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `allowedValue` (string) > > > > If empty, a user can enter any email or phone number. Otherwise, only a pre-defined email or phone number is allowed. > > > **Collapse: Actions** > > > > * `submitVoiceTarget` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit a phone number for MFA. ### WHATSAPP\_ACTIVATION\_REQUIRED > **Collapse: State details** > > > **Collapse: Response model** > > > > * `otp` (string) > > > > When `testMode` is true, the response contains and returns an OTP. > > > > * `otpLifetime` (Lifetime) > > > > The lifespan of the OTP, indicating the time period for which the OTP is valid. > > > > * `otpLength` (integer) > > > > The number of digits that make up the OTP presented to the user. > > > > * `notification` (Notification) > > > > Indicates the time until which the user must wait before being allowed to resend the OTP. > > > > * `phone` (string) > > > > The user's specified phone number for MFA. > > > **Collapse: Actions** > > > > * `activateWhatsAppDevice` > > > > * `resendOtp` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their WhatsApp activation code to complete the device pairing. ### WHATSAPP\_PAIRING\_TARGET\_REQUIRED > **Collapse: State details** > > > **Collapse: Response model** > > > > * `allowedValue` (string) > > > > If empty, a user can enter any email or phone number. Otherwise, only a pre-defined email or phone number is allowed. > > > **Collapse: Actions** > > > > * `submitWhatsAppTarget` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit a phone number for MFA. ### `OATH_TOKEN_PAIRING_TARGET_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no models. > > > **Collapse: Actions** > > > > * `submitOathTokenTarget` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit a valid OATH token serial number to complete the device pairing. ### `OATH_TOKEN_ACTIVATION_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `serialNumber` (string) > > > > The user's specified OATH token serial number for MFA. > > > **Collapse: Actions** > > > > * `activateOathTokenDevice` > > > > * `cancelDevicePairing` > > > > * `cancelAuthentication` > > > **Collapse: Description** > > > > The user must submit their OATH token activation code to complete the device pairing. ### `DEVICE_MANAGEMENT` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no model. > > > **Collapse: Actions** > > > > * `setDefaultDevice` > > > > * `setupMfa` > > > > * `removeDevice` > > > > * `updateDeviceNickname` > > > > * `resumeAuthentication` > > > > * `resyncOathToken` > > > **Collapse: Description** > > > > The user can add a new device, set an existing device as the default device, remove an existing device, or rename an existing device. ### `EVALUATE_REMEMBER_ME_DEVICE` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `deviceProfileTimeoutMillis` (integer) > > > > The amount of time, in milliseconds, that the PingFederate Authentication API waits for the device information submission. > > > **Collapse: Actions** > > > > * `submitDeviceInformation` > > > **Collapse: Description** > > > > Provide device information to determine whether the current device is remembered. ### `MANAGE_REMEMBER_ME_DEVICE` > **Collapse: State details** > > > **Collapse: Response model** > > > > * `deviceProfileTimeoutMillis` (integer) > > > > The amount of time, in milliseconds, that the PingFederate Authentication API waits for the device information submission. > > > **Collapse: Actions** > > > > * `submitDeviceInformation` > > > **Collapse: Description** > > > > Provide device information to create a remembered device for the current browser. ### `REMEMBER_ME_USER_CONSENT_REQUIRED` > **Collapse: State details** > > > **Collapse: Response model** > > > > This state has no model. > > > **Collapse: Actions** > > > > * `submitRememberMeUserConsent` > > > **Collapse: Description** > > > > This state prompts you to confirm whether a remembered device should be created. ## Action models ### `checkAssertion` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `assertion` (string) (required) > > > > A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action. > > > > * `origin` (string) (required) > > > > A string that specifies the server name where the fetch originates, providing the URI scheme and hostname. > > > > * `compatibility` (string) (required) > > > > A string that specifies the browser compatibility to support webauthn. Options are `FULL` (compatible with FIDO2 biometrics and security key), `SECURITY_KEY_ONLY` (compatible with security key only), and `NONE` (browser is not compatible with the webauthn method). > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_ASSERTION` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Validate the assertion from the user. ### `selectDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `deviceRef` (ResourceRef) (required) > > > > The device identifier. > > > > * `mobilePayload` (string) > > > > The mobile payload is a small data package created by the PingOne Mobile SDK component that identifies the device, which is used as part of the device's authorization. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_DEVICE`, `INVALID_MOBILE_PAYLOAD`, or `CHANGE_AUTHENTICATION_METHOD_NOT_ALLOWED`. > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `OTP_RESEND_LIMIT`, `PUSH_FAILED`, or `TOTP_ATTEMPTS_LIMIT`. > > > **Collapse: Description** > > > > Starts an authentication attempt with the specified device ID. For example: > > > > ```json > > { > > "deviceRef": > > { > > "id": "" > > } > > } > > ``` > > > > If another authentication attempt was already in progress, that in-progress attempt is canceled before the new attempt starts. > > > > This action is available only when the user has at least one device. It can also be used as an authentication retry. > > > > A mobile payload is required if a user requests access from an untrusted mobile app and needs to select one of their trusted devices to approve or deny access. > > > > | | | > > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > > | | To return to the `DEVICE_SELECTION_REQUIRED` state, you must enter a request payload such as the following:```json > > { > > "deviceRef": { > > "id": "" > > } > > } > > ``` | ### `cancelAuthentication` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > This action cancels the current authentication step. ### `manageDevices` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Starts the device management flow. If **Bypass MFA for Device Management Attribute** isn't enabled and the user hasn't completed MFA yet, they'll be prompted to do so. ### `poll` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > * Error: `REQUEST_FAILED` > > > > * Error: `VALIDATION_ERROR` > > > **Collapse: Description** > > > > This action returns the authentication code request status. ### `authenticate` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `mobilePayload` (string) > > > > The mobile payload is a small data package created by the PingOne Mobile SDK component that identifies the device, which is used as part of the device's authorization. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_MOBILE_PAYLOAD` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Starts an authentication flow. The mobile payload is required in cases of mobile app access. The presence or absence of the mobile payload determines whether the flow is a mobile or web authentication, respectively. You cannot switch midway between mobile and web authentication flows. ### `continueBiometricDeviceAuthentication` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `origin` (string) > > > > A string that specifies the server name where the fetch originates. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Continue with biometric device authentication. ### `selectDevicePairingMethod` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `devicePairingMethod` (DevicePairingMethod) > > > > Refer to the [DevicePairingMethod object](#device-pairing-method-object) table. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_DEVICE_PAIRING_METHOD` > > > **Collapse: Description** > > > > Select a device pairing method to pair as a new MFA device. ### `cancelDevicePairing` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Cancel the MFA pairing process. ### `usePasswordAuthentication` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Exit from the MFA authentication flow with the `UsePassword` policy action to proceed with the next configured adapter for this policy action in the policy tree. ### `skipUpdateDeviceNickname` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Skip updating the device nickname during the device pairing flow. ### `updateDeviceNickname` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `id` (string) (required) > > > > Unique identifier of a trusted device in the PingOne MFA server. > > > > * `nickname` (string) (required) > > > > The device's nickname. > > > **Collapse: Errors** > > > > * Error: `RESOURCE_NOT_FOUND` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Give a unique nickname to a device. ### `activateEmailDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_OTP` > > > > * Error: `REQUEST_FAILED` > > > > Error detail: `OTP_ATTEMPTS_LIMIT` > > > **Collapse: Description** > > > > Submit the email activation code to complete the device pairing. ### `resendOtp` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > * Error: `REQUEST_FAILED` > > > > Error detail: `OTP_RESEND_LIMIT` > > > **Collapse: Description** > > > > Resend the OTP to the previously selected device. ### `submitEmailTarget` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `testMode` (boolean) > > > > Determines whether this MFA device is configured as a test device. > > > > * `email` (string) (required) > > > > The user's specified email address for MFA. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_EMAIL` or `INVALID_REQUEST` > > > **Collapse: Description** > > > > Pair an email address for use as a new MFA device. ### `continueAuthentication` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > This action continues the current authentication flow. ### `setupMfa` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `MAXIMUM_ALLOWED_METHODS_LIMIT` > > > **Collapse: Description** > > > > Begins the MFA pairing process. ### `skipMfa` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Skip the MFA pairing process. ### `selectOneTimeDeviceMethod` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `deviceRef` (ResourceRef) (required) > > > > Refer to the [ResourceRef object](#resource-ref-object) table. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Starts the one-time device OTP authentication flow for the selected device. ### `checkOtp` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_OTP` > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `OTP_ATTEMPTS_LIMIT` > > > **Collapse: Description** > > > > Validates the provided OTP. ### `activateFido2Device` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `origin` (string) (required) > > > > A string that specifies the server name where the fetch originates, providing the URI scheme and hostname. > > > > * `attestation` (string) (required) > > > > The attestation generated by the browser as a response to a user action, such as a fingerprint or click on the security key. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > **Collapse: Description** > > > > Submit the FIDO2 browser response to complete the device pairing. ### `activateSecurityKeyDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `origin` (string) (required) > > > > A string that specifies the server name where the fetch originates, providing the URI scheme and hostname. > > > > * `attestation` (string) (required) > > > > The attestation generated by the browser as a response to a user action, such as a fingerprint or click on the security key. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > **Collapse: Description** > > > > Submit the FIDO2 browser response to complete the device pairing. ### `activatePlatformDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `origin` (string) (required) > > > > A string that specifies the server name where the fetch originates, providing the URI scheme and hostname. > > > > * `attestation` (string) (required) > > > > The attestation generated by the browser as a response to a user action, such as a fingerprint or click on the security key. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > **Collapse: Description** > > > > The user must pair their biometrics with the browser to complete the device pairing. ### `activateSmsDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_OTP` > > > > * Error: `REQUEST_FAILED` > > > > Error detail: `OTP_ATTEMPTS_LIMIT` > > > **Collapse: Description** > > > > Submit the SMS activation code to complete the device pairing. ### `submitSmsTarget` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `testMode` (boolean) > > > > Determines whether this MFA device is configured as a test device. > > > > * `phone` (string) (required) > > > > The user's phone number for MFA. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_PHONE` or `INVALID_REQUEST` > > > **Collapse: Description** > > > > Pair a phone number for use as a new MFA device. ### `activateTotpDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_OTP` > > > > * Error: `REQUEST_FAILED` > > > > Error detail: `OTP_ATTEMPTS_LIMIT` > > > **Collapse: Description** > > > > Activate an authenticator for use as a new MFA device. > > > > Submit the authenticator activation code to complete the device pairing. ### `activateVoiceDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_OTP` > > > > * Error: `REQUEST_FAILED` > > > > Error detail: `OTP_ATTEMPTS_LIMIT` > > > **Collapse: Description** > > > > Submit the voice activation code to complete the device pairing. ### `submitVoiceTarget` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `testMode` (boolean) > > > > Determines whether this MFA device is configured as a test device. > > > > * `phone` (string) (required) > > > > The user's phone number for MFA. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > Error detail: `INVALID_PHONE` or `INVALID_REQUEST` > > > **Collapse: Description** > > > > Pair a phone number for use as a new MFA device. ### `activateWhatsAppDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_OTP`. > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `OTP_ATTEMPTS_LIMIT`. > > > **Collapse: Description** > > > > Submit the WhatsApp activation code to complete the device pairing. ### `submitWhatsAppTarget` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `testMode` (boolean) > > > > Determines whether this MFA device is configured as a test device. > > > > * `phone` (string) (required) > > > > The user's phone number for MFA. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_PHONE` or `INVALID_REQUEST`. > > > **Collapse: Description** > > > > Submit a phone number for use as a new multi-factor authentication device. ### `setDefaultDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `deviceRef` (ResourceRef) (required) > > > > The device identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > * Error: `REQUEST_FAILED` > > > **Collapse: Description** > > > > Sets the user's default authentication device. For example: > > > > ```json > > { > > "deviceRef": > > { > > "id": "" > > } > > } > > ``` > > > > If another authentication attempt was already in progress, that in-progress attempt is canceled before the new attempt starts. > > > > This action is available only when the user has at least one device. It can also be used as an authentication retry. > > > > A mobile payload is required if a user requests access from an untrusted mobile app and needs to select one of their trusted devices to approve or deny access. ### `removeDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `deviceRef` (ResourceRef) (required) > > > > The device identifier. Refer to the [ResourceRef object](#resource-ref-object) table. > > > **Collapse: Errors** > > > > * Error: `INVALID_REQUEST` > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `FIELD_REQUIRED`, `INVALID_DEVICE`, or `UNRECOGNIZED_FIELD_NAME`. > > > **Collapse: Description** > > > > Remove a device. > > > > You can find an example `deviceRef` in the `selectDevice` table entry. ### `resumeAuthentication` > **Collapse: Action details** > > > **Collapse: Request model** > > > > This action has no model. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Returns to the next step in the authentication flow after completing device management if MFA is already complete. Otherwise, returns to the `DEVICE_SELECTION_REQUIRED` state. ### `submitOathTokenTarget` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `serialNumber` (string) (required) > > > > The serial number of the OATH token device. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_SERIAL_NUMBER` or `DUPLICATE_SERIAL_NUMBER`. > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `TOKEN_LOCKED`. > > > **Collapse: Description** > > > > Submit an OATH token serial number to complete the device pairing. ### `activateOathTokenDevice` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `otp` (string) (required) > > > > The OTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_OTP` or `EXTRA_OTP_REQUIRED`. > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `OTP_ATTEMPTS_LIMIT`. > > > **Collapse: Description** > > > > Submit the OATH token activation code to complete the device pairing. ### `resyncOathToken` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `id` (string) (required) > > > > Unique identifier of a trusted device in the PingOne MFA server. > > > > * `otp` (string) (required) > > > > The TOTP submitted by the user. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `INVALID_OTP`, `INVALID_DEVICE`, or `EXTRA_OTP_REQUIRED`. > > > > * Error: `REQUEST_FAILED` > > > > ErrorDetail: `OTP_ATTEMPTS_LIMIT` or `TOKEN_LOCKED`. > > > **Collapse: Description** > > > > Re-sync the OATH token device. ### `submitDeviceInformation` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `submitDeviceInformationRequest` (SubmitDeviceInformationRequest) > > > > Refer to the [SubmitDeviceInformationRequest](#submit-device-info-request-object) table. > > > **Collapse: Errors** > > > > * Error: `VALIDATION_ERROR` > > > > ErrorDetail: `BROWSER_FINGERPRINT_REQUIRED`. > > > **Collapse: Description** > > > > Submit device information to evaluate whether the device is trusted or create a remembered device for the current browser. ### `submitRememberMeUserConsent` > **Collapse: Action details** > > > **Collapse: Request model** > > > > * `submitRememberMeUserConsentRequest` (SubmitRememberMeUserConsentRequest) > > > > Refer to the [SubmitRememberMeUserConsentRequest](#remember-me-user-consent) table. > > > **Collapse: Errors** > > > > This action has no errors. > > > **Collapse: Description** > > > > Submit a response to whether a remembered device should be created for the current browser, or whether to display this prompt again. ## Objects ### Device object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `id` | String | The unique identifier of a trusted device in the PingOne MFA server. | > | `type` | String | The model of the device. For example, `iPhone 5S`. This parameter is empty for OTP devices (SMS, voice, email, TOTP). | > | `target` | String | The device's masked email address or phone number. | > | `name` | String | The name of the device. For example, `iPhone 5S`. This parameter is empty for OTP devices (SMS, voice, email, TOTP). | > | `applicationId` | String | The ID of the customer mobile application. | > | `applicationVersion` | String | The device's application version. | > | `osVersion` | String | The device's operating system version. | > | `usable` | Boolean | Indicates whether the device is usable. | > | `nickname` | String | The device's nickname. | > | `rpId` | String | The relying party identifier if the device type is Security Key or Platform (Biometrics). | > | `pushEnabled` | Boolean | Indicates whether the device is push enabled, if the device is a mobile application. For other device types, this attribute is omitted. | > | `otpEnabled` | Boolean | Indicates whether the device is OTP enabled, if the device is a mobile application. For other device types, this attribute is omitted. | > | `defaultDevice` | Boolean | Indicates whether this device is the default device. | > | `applicationName` | String | Application name for mobile device. | > | `lock` | Lock object | Contains lock details if the device is locked, otherwise null.Refer to the [Lock object](#lock-object) table. | > | `notification` | Notification object | Represents notification details. Primarily used to track the cooldown period when a device is restricted from receiving further notifications due to the maximum limit being reached.Refer to the [Notification object](#notification-object) table. | ### Lock object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------- | ------------------------------------------------------------ | > | `status` | String | Indicates whether the associated device is locked. | > | `expiresAt` | Integer | Indicates how long the associated device will remain locked. | ### Notification object > **Collapse: Object details** > > | Parameter name | Type | Description | > | ------------------- | ------- | ------------------------------------------------------------------------- | > | `coolDownExpiresAt` | Integer | Indicates when notifications will be sent to the associated device again. | > | `status` | String | Indicates whether the associated device is on a notification cooldown. | > | `expiresAt` | Integer | Indicates notification cooldown expiration of unusable devices. | ### Application object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | > | `id` | String | A string that specifies the ID of a mobile application for which the code is valid. Only the specified mobile application can scan the QR code. | ### ClientContext object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | ------------------------------ | > | `header` | String | The client information header. | > | `body` | String | The client information body. | ### LifeTime object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------- | > | `duration` | Integer | Specifies the length of time for this authentication code to be valid. | > | `timeUnit` | String | A string that specifies the time unit for the `lifeTime.duration` property. Options are `SECONDS` and `MINUTES`. | ### User object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | ------------------------------------------------------------------------ | > | `id` | String | The user's unique identifier. | > | `username` | String | The user's PingOne user ID or username that was mapped into the adapter. | ### ResourceRef object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | -------------------------- | > | `id` | String | The resource's identifier. | ### PublicKeyCredentialRequestOptions object > **Collapse: Object details** > > | Parameter Name | Type | Description | > | ------------------ | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `challenge` | Array | The challenge to generate. | > | `timeout` | Integer | Indicates how long in milliseconds, the challenge will remain valid. | > | `rpId` | String. | The relying party identifier. | > | `userVerification` | String | Indicates the relying party's user verification requirements.Learn more about user verification in [Web Authentication: An API for accessing Public Key Credentials Level 2 (section 5.4.4)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-userverification) in the W3C documentation. | > | `allowCredentials` | Array (AllowCredentials) | An array of `AllowCredentials` objects.You can find more information in the [Allow credentials (AllowCredentials) object](#allow-credentials-object) table. | ### AllowCredentials object > **Collapse: Object details** > > | Parameter Name | Type | Description | > | -------------- | ------ | ----------------------------------------------------------- | > | `type` | String | The credential type. | > | `id` | Array | An array of bytes used to uniquely identify the credential. | ### DevicePairingMethod object > **Collapse: Object details** > > | Parameter name | Type | Description | > | ---------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | DevicePairingMethod object | | | > | `deviceType` | String | The type of the device. | > | MobileDevicePairingMethod object | | | > | `applicationName` | String | The name of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted. | > | `applicationId` | String | The ID of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted. | > | WebAuthnDevicePairingMethod object | | | > | `relyingPartyId` | String | Specifies the server name or relying party initiating the request. Required to initiate pairing requests of security key and biometrics devices. If not provided, the PingFederate domain is used. | > | `relyingPartyName` | String | Identifies the server name or relying party initiating the request. Required to initiate pairing requests of security key and biometrics devices. If not provided, the string `PingFederate` is used. | > | `userAgent` | String | User agent of the device initiating the pairing request. Applicable only for platform and biometrics device pairing requests. It is passed to PingOne so it can accurately capture additional platform information of the device. | ### OneTimeDeviceInfo object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------- | > | `type` | String | The device type. | > | `target` | String | The device target. | > | `id` | String | The device id. | > | `oneTimeDeviceForResponse` | Device | Refer to the [One-time device for response (OneTimeDeviceForResponse) object](#one-time-device-for-response-object) table. | ### OneTimeDeviceForResponse object > **Collapse: Object details** > > | Parameter Name | Type | Description | > | -------------- | ------ | ---------------------------------------------------------------- | > | `type` | String | The one-time device type. Possible values are SMS, voice, email. | > | `target` | String | The device's masked email address or phone number. | > | `id` | String | Random ID to identify the device within the response. | ### NumberMatching object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | > | `number` | Integer | The number displayed for mobile authentication number matching. | > | `type` | String | Determines whether users are required to either enter the number that was shown or select the displayed number out of a group of three numbers. | ### RelyingParty object > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | ------------------------------------------------ | > | `id` | String | The relying party identifier. | > | `name` | String | The relying party's human-readable display name. | ### SubmitDeviceInformationRequest > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `browserFingerprint` | String | Submit browser details generated by running the `signals-sdk`. Learn more about how to do so in [Preparing the `signals-sdk` to generate a browser fingerprint](pf-p1-mfa-ik-generating-the-browser-fingerprint.html).You should generate a new payload each time because they can expire quickly. | ### SubmitRememberMeUserConsentRequest > **Collapse: Object details** > > | Parameter name | Type | Description | > | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `userConsent` | String | Submit response for whether a remembered device should be made for the current browser.Possible values are `remember`, `doNotRemember`, or `doNotAskAgain`. | ## Error codes An error code is returned if the call flow state hasn't reached a dead end and the user can still authenticate with a device. In cases where a flow reaches a dead end, the authentication API returns an `MFA_FAILED` state with a corresponding code. ### Top level error codes > **Collapse: Error code details** > > | Error code | Message | HTTP status | > | -------------------- | ----------------------------------------------------------------------------- | ----------- | > | `VALIDATION_ERROR` | One or more validation errors occurred. | `400` | > | `REQUEST_FAILED` | The request couldn't be completed. There was an issue processing the request. | `400` | > | `INVALID_REQUEST` | The request was malformed or invalid. | `400` | > | `RESOURCE_NOT_FOUND` | The requested resource wasn't found. | `404` | ### Detail level error codes > **Collapse: Error code details** > > | Error code | Message | userMessageKey | Parent code | > | ------------------------------------------ | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ------------------ | > | `INVALID_OTP` | An invalid or expired passcode was provided. | `authn.api.invalid.otp` | `VALIDATION_ERROR` | > | `OTP_EXPIRED` | The passcode has expired. | `authn.api.otp.expired` | `REQUEST_FAILED` | > | `INVALID_DEVICE` | An invalid device was provided. | | `VALIDATION_ERROR` | > | `OTP_ATTEMPTS_LIMIT` | The user performed too many unsuccessful passcode attempts. | `authn.api.otp.attempts.limit` | `REQUEST_FAILED` | > | `TOTP_ATTEMPTS_LIMIT` | The user performed too many unsuccessful TOTP passcode attempts. | `authn.api.totp.attempts.limit` | `REQUEST_FAILED` | > | `OTP_RESEND_LIMIT` | The user has resent the passcode the maximum number of times. | `authn.api.otp.resend.limit` | `REQUEST_FAILED` | > | `PUSH_FAILED` | Failed to send the push message. | `authn.api.push.failed` | `REQUEST_FAILED` | > | `INVALID_MOBILE_PAYLOAD` | An invalid mobile payload was provided. | | `VALIDATION_ERROR` | > | `INVALID_DEVICE_PAIRING_METHOD` | An invalid device pairing method was provided. | | `VALIDATION_ERROR` | > | `INVALID_DATA_DEVICE_PAIRING_METHOD` | The request could not be completed. One or more validation errors were in the request. | | `VALIDATION_ERROR` | > | `INVALID_EMAIL` | An invalid email address was provided. | `pingone.mfa.email.pairing.invalid.email` | `VALIDATION_ERROR` | > | `INVALID_PHONE` | An invalid phone number was provided. | `pingone.mfa.sms.pairing.invalid.phone` or `pingone.mfa.voice.pairing.invalid.phone` | `VALIDATION_ERROR` | > | `MAXIMUM_ALLOWED_METHODS_LIMIT` | Reached maximum number of allowed methods limit. | `pingone.mfa.device.selection.maximum.allowed.methods.limit` | `VALIDATION_ERROR` | > | `EXTRA_OTP_REQUIRED` | An additional OTP is required. | | `VALIDATION_ERROR` | > | `TOKEN_LOCKED` | The OATH token is locked because too many OTP authentication attempts failed. | | `REQUEST_FAILED` | > | `INVALID_SERIAL_NUMBER` | An invalid serial number was provided. | | `VALIDATION_ERROR` | > | `DUPLICATE_SERIAL_NUMBER` | The provided serial number is already in use. | | `VALIDATION_ERROR` | > | `INVALID_ASSERTION` | An invalid assertion was provided. | | `VALIDATION_ERROR` | > | `CHANGE_AUTHENTICATION_METHOD_NOT_ALLOWED` | Users are not allowed to go back and change their authentication device during a sign-on session. | | `VALIDATION_ERROR` | > | `INVALID_REQUEST` | `testMode` devices aren't allowed. | | `VALIDATION_ERROR` | > | `BROWSER_FINGERPRINT_REQUIRED` | Browser fingerprint details are required for remember me evaluation or creation. | | `VALIDATION_ERROR` | ### `MFA_FAILED` codes > **Collapse: Error code details** > > | Error code | Message | userMessageKey | > | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------- | ------------------------------------ | > | `SERVER_ERROR` | Server error. | `authn.api.server.error` | > | `SERVICE_UNAVAILABLE` | Service unavailable. | `authn.api.service.unavailable` | > | `OTP_RESEND_LIMIT` This error code can also be returned if this isn't a dead end. | The user has resent the passcode the maximum number of times. | `authn.api.otp.resend.limit` | > | `PUSH_FAILED` | Failed to send the push message. | `authn.api.push.failed` | > | `NO_RESPONSE_PASSIVE_PUSH` | Mobile payload is valid, but the extra push verification didn't arrive. | `authn.api.no.response.passive.push` | > | `NO_USABLE_DEVICES` | The user has no usable devices for the requested authentication policy. | `authn.api.no.usable.devices` | > | `MFA_DISABLED` | The user doesn't have MFA enabled. | `authn.api.mfa.disabled` | > | `USER_NOT_FOUND` | The user isn't enabled in PingOne or doesn't exist. | `authn.api.user.not.found` | > | `DEVICE_INTEGRITY_FAILED` | Device integrity validation failed. | `authn.api.device.rooted` |