--- title: Authentication flows description: When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API), the following flows are used for multi-factor authentication (MFA) requests. These are initiated in the web browser. component: pingone page_id: pingone:pingone_mfa_integration_kit:pf_p1_mfa_ik_authentication_flows canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf_p1_mfa_ik_authentication_flows.html revdate: June 15, 2024 section_ids: mfa-via-email: MFA via email mfa-via-the-mobile-app: MFA via the mobile app --- # Authentication flows When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*, the following flows are used for multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* requests. These are initiated in the web browser. ## MFA via email ![A flow diagram showing authentication via an email OTP](_images/ziw1611348536722.png) 1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow. 2. The status of `AUTHENTICATION_REQUIRED` is returned in the response to the API client. 3. The API client invokes the `authenticate` action. 4. The status of `DEVICE_SELECTION_REQUIRED` is returned with the devices object in the response to the API client. 5. The API client invokes `selectDevice` action and specifies the device ID of the device to use for MFA. 6. The status of `OTP_REQUIRED`, together with the devices and `selectedDeviceRef` object, are returned in the response to the API client. In parallel, the user receives an email containing the one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* for authentication. 7. After the user has entered the OTP, the API client invokes the `checkOtp` action, submitting the OTP value to PingFederate. 8. On successful completion of MFA, PingFederate returns the status of `MFA_COMPLETED` to the API client. 9. The API client invokes the `continueAuthentication` action. The API client must call `continueAuthentication` in order to progress in the OIDC flow, and to complete it. 10. PingFederate returns a single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* ID token and access token to the API client. ## MFA via the mobile app ![A flow diagram showing authentication via a mobile application](_images/prh1611354198780.png) 1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow. 2. The status of `AUTHENTICATION_REQUIRED` is returned in the response to the API client. 3. The API client invokes the `authenticate` action. 4. The status of `DEVICE_SELECTION_REQUIRED` is returned with the devices object in the response to the API client. 5. The API client invokes `selectDevice` action and specifies the device ID of device to use for multi-factor authentication. 6. The status of `PUSH_CONFIRMATION_WAITING`, together with the devices and `selectedDeviceRef` object, are returned in the response to the API client. 7. The API client invokes the `poll` action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached. 8. One of the following alternative statuses is reached: * `MFA_COMPLETED`: * The user receives a push notification and approves the authentication. * The API client invokes the `continueAuthentication` action. The API client must call `continueAuthentication` in order to progress in the OIDC flow, and to complete it. * PingFederate returns an access token for SSO, to the API client. * `PUSH_CONFIRMATION_TIMED_OUT`: * The device was not reachable. * There are three options available via the API client: * Retry by calling `selectDevice` with the `deviceRef` object. * Select a different device by calling `selectDevice` with a different `deviceRef` object. * Cancel the authentication request by calling `cancelAuthentication`. * `PUSH_CONFIRMATION_REJECTED`: * The user receives a push notification, but denies it. * There are three options available via the API client: * Retry by calling `selectDevice` with the `deviceRef` object. * Select a different device by calling `selectDevice` with a different `deviceRef` object. * Cancel the authentication request by calling `cancelAuthentication`.