--- title: Authentication method management description: The PingOne MFA IdP Adapter supports a variety of methods for managing authentication methods for PingOne users. component: pingone page_id: pingone:pingone_mfa_integration_kit:pf_p1_mfa_ik_authentication_method_management canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf_p1_mfa_ik_authentication_method_management.html revdate: July 22, 2025 section_ids: automatic-authentication-method-provisioning: Automatic authentication method provisioning prompting-users-to-set-up-their-first-authentication-method: Prompting users to set up their first authentication method allowing-users-to-manage-authentication-methods: Allowing users to manage authentication methods default-authentication-methods: Default authentication methods device-integrity-checks: Device integrity checks --- # Authentication method management The PingOne MFA IdP Adapter supports a variety of methods for managing authentication methods for PingOne users. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingOne MFA IdP Adapter can add and remove authentication methods and set a default method, but it cannot update a method's nickname.If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the [PingOne Integration Kit](https://marketplace.pingone.com/item/pingone-integration-kit). | ## Automatic authentication method provisioning The PingOne MFA IdP Adapter supports automatic pairing for SMS, voice, and email authentication methods, which use one-time passcodes (OTPs). The adapter creates the user and associated authentication methods from attributes in the PingFederate authentication policy. You can find details in [Enabling user and authentication method provisioning](pf_p1_mfa_ik_enabling_user_and_authentication_method_provisioning.html). ## Prompting users to set up their first authentication method The PingOne MFA IdP Adapter allows you to prompt users to set up their first multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* method. You can find details in [Enabling the MFA setup prompt](pf_p1_mfa_ik_enabling_the_mfa_setup_prompt.html). ## Allowing users to manage authentication methods When the **Allow Users To Manage Additional Authentication Methods** [checkbox](pf_p1_mfa_ik_p1_mfa_idp_adapter_settings_reference.html) is selected in the PingOne MFA IdP Adapter configuration, users can add or remove a new authentication method when they sign on. | | | | - | ----------------------------------------------------------------------------------------------- | | | This option is only available to users who authenticate with an existing authentication method. | Users can pair any PingOne authentication method, including: * Authenticator apps, such as Google Authenticator * SMS message * Voice call * Email * Mobile app built with the PingOne SDK * FIDO2 biometrics * Security key They can also remove any of these authentication methods. Alternately, users can manage their authentication methods directly through the PingOne MFA self-service URL. Learn more in [Self service](https://docs.pingidentity.com/pingone/user_experience/p1_self_service.html) and [Managing authentication methods](https://docs.pingidentity.com/pingone/managing_your_pingone_user_profile/p1_managingauthenticationmethods.html) in the PingOne documentation. ## Default authentication methods On the authentication method selection page, users can set a default authentication method. ![Screen capture showing the](_images/llj1624313747372.jpg) When a default method is set, the PingOne MFA IdP Adapter skips the selection screen. Users can select a different authentication method if they don't want to continue with the default. This capability is available when the `User-selected default` option is turned on in PingOne. Learn more details and limitations in the **Set a default authentication method** section of [Managing authentication methods](https://docs.pingidentity.com/pingone/managing_your_pingone_user_profile/p1_managingauthenticationmethods.html) in the PingOne documentation. ## Device integrity checks When you create a native OIDC application as described in [Creating a web or native OIDC application in PingOne](pf_p1_mfa_ik_creating_a_web_or_native_application_in_p1.html), you can turn on a device integrity check. The device integrity check identifies jailbroken iOS devices and rooted Android devices. When it's enabled, users can't pair or authenticate with compromised devices. When a user authenticates, PingOne reports whether the device passed the integrity check. When a device fails, one of the following happens: * If you're using the PingFederate authentication API, your application receives an `MFA_FAILED` status with the code `DEVICE_INTEGRITY_FAILED`. * If you're using the PingFederate web interface, the PingOne MFA IdP Adapter shows an error page to the user. ![Screen capture showing the error message that results from a failed device integrity check .](_images/ncs1628705938913.png) You don't need to change anything in the PingOne MFA IdP Adapter configuration to support device integrity checks. Just enable them in your PingOne native OIDC application settings. To do so: 1. In your native OIDC application, go to the **Mobile** tab and click the **Pencil** icon. 2. In the **Settings** section, go to **Device Integrity Check** and click **On**.