PingOne

Creating an MFA authentication policy in PingOne

Create an MFA-only authentication policy in PingOne MFA to handle user authentication requests.

About this task

The PingOne MFA IdP Adapter only supports multifactor authentication (MFA) flows in which Multi-factor Authentication is the only step configured in the PingOne authentication policy.

To use a default policy in PingOne for MFA, you must make sure that Multi-factor Authentication is the only step in the policy.

Steps

  1. In the PingOne MFA console, go to Authentication > Authentication and click Add Policy.

  2. Enter a policy name of your choosing and note it.

    You will use this policy name in Configuring an adapter instance.

  3. In the Step Type list, select Multi-factor Authentication.

  4. In the MFA Policy list, select an MFA policy to specify which authentication methods a user can use to authenticate themselves.

  5. In the None Or Incompatible Methods section, select a default behavior for cases where the user does not have a valid authentication method set up:

    Choose from:

    • Block: If the user doesn’t have a valid authentication method set up, MFA fails.

    • Bypass: If the user doesn’t have a valid authentication method set up, they continue to the next step as if they completed MFA successfully.

  6. (Optional) In the Required When section, configure authentication triggers.

  7. Click Save.

Next steps

  1. Add the policy to the web or native OIDC application that you created in Creating a web or native OIDC application in PingOne:

    1. In the PingOne MFA console, go to Applications > Applications and expand your application.

    2. On the Policies tab, click Add Policies or click the Pencil icon, then select the checkbox for the policy that you created.

    3. Click Save.