PingOne

Models, objects, and error codes

When using the PingOne MFA IdP Adapter through the PingFederate authentication API, the adapter uses the following state models, action models, objects, and error codes.

State models

Status Response Model Action Description

AUTHENTICATION_REQUIRED

  • user: The user’s username.

  • authenticate

  • cancelAuthentication

Indicates that authentication is required. This state is the first state returned from the adapter.

ASSERTION_REQUIRED

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • selectedDeviceRef: The device identifier.

  • publicKeyCredentialRequestOptions: The PublicKeyCredentialRequestOptions object containing data needed to generate an assertion. For help, see Web Authentication in the W3C documentation.

    • challenge: string

    • timeout: integer (milliseconds)

    • rpId: Relying party identifier string.

    • userVerification: string

    • allowCredentials

      • type: string

      • id: array of bytes

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • cancelAuthentication

  • checkAssertion

  • selectDevice

  • setDefaultDevice

  • setupMfa

  • removeDevice

  • updateDeviceNickname

Indicates that authentication is required. This state is the first state returned from the adapter.

DEVICE_SELECTION_REQUIRED

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • setupMfa

  • cancelAuthentication

  • selectDevice

  • removeDevice

  • updateDeviceNickname

Indicates that device selection is required, and the user has more than one device.

OTP_REQUIRED

  • selectedDeviceRef: The device identifier.

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • checkOtp

  • cancelAuthentication

  • selectDevice

  • setDefaultDevice

  • setupMfa

  • removeDevice

  • updateDeviceNickname

Indicates that OTP is required. This state is returned when the user is prompted to provide an OTP. The OTP is one of the following:

  • Sent to the user in an SMS, voice call, or email.

  • The OTP that is displayed in the user’s authenticator app.

PUSH_CONFIRMATION_WAITING

  • selectedDeviceRef: The device identifier.

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • checkOtp

  • poll

  • cancelAuthentication

  • selectDevice

  • setDefaultDevice

  • setupMfa

  • removeDevice

  • updateDeviceNickname

Indicates that a push was sent to the user.

To get the final push confirmation state, the API client can either call the poll, or call GET.

PUSH_CONFIRMATION_TIMED_OUT

  • selectedDeviceRef: The device identifier.

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • checkOtp

  • cancelAuthentication

  • selectDevice

  • setDefaultDevice

  • setupMfa

  • removeDevice

  • updateDeviceNickname

Indicates a push timeout state.

PUSH_CONFIRMATION_REJECTED

  • selectedDeviceRef: The device identifier.

  • devices: The list of all devices associated with the user.

  • user: The user’s username.

  • manualPairing: Indicates the user has initiated the multi-factor pairing process.

  • userSelectedDefault: Indicates whether MFA settings has 'user-selected default device' or 'prompt user for device selection'.

  • Reason: The push confirmation rejection reason.

    Possible values:

    • DENIED_BY_USER

  • changeDevicePermitted (boolean): Indicates whether the user can switch devices used for authentication.

  • cancelAuthentication

  • selectDevice

  • setDefaultDevice

  • setupMfa

  • removeDevice

  • updateDeviceNickname

Indicates that the user has rejected the push.

MFA_COMPLETED

  • code: The success code.

  • continueAuthentication

Indicates a successful MFA. The API client must call continueAuthentication in order to progress in the flow, and to complete it.

MFA_FAILED

  • code: The error code.

  • message: The developer-facing error message.

  • userMessage: The user-facing error message.

See MFA_FAILED codes in the Error Codes section.

  • cancelAuthentication

Indicates a dead end. The API client can proceed in the flow by calling cancelAuthentication. The adapter will return a FAILURE status.

MOBILE_PAIRING_REQUIRED

  • serverPayload: String

The PingOne ID token.

  • continueAuthentication

Indicates that mobile pairing is required.

MFA_SETUP_REQUIRED

This state has no model.

  • setupMfa

  • skipMfa

  • cancelAuthentication

The user must set up a device for multi-factor authentication.

DEVICE_PAIRING_METHOD_REQUIRED

  • devicePairingMethods: The list of available device pairing methods for multi-factor authentication.

    • DevicePairingMethod: A multi-factor authentication device pairing method.

      • deviceType: The type of the device.

      • applicationName: The name of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted.

      • applicationId: The id of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted.

  • selectDevicePairingMethod

  • cancelDevicePairing

  • cancelAuthentication

The user must select a device type for multi-factor authentication to proceed.

MFA_DEVICE_PAIRING_METHOD_FAILED

  • code: The error code.

  • message: The developer-facing error message.

  • userMessage: The user-facing error message.

  • cancelDevicePairing

  • cancelAuthentication

Device integrity validation failed.

The device integrity check determined that the device is jailbroken (iOS) or rooted (Android).

EMAIL_PAIRING_TARGET_REQUIRED

This state has no model.

  • submitEmailTarget

  • cancelDevicePairing

  • cancelAuthentication

The user must submit an email address for multi-factor authentication.

SMS_PAIRING_TARGET_REQUIRED

This state has no model.

  • submitSmsTarget

  • cancelDevicePairing

  • cancelAuthentication

The user must submit a phone number for multi-factor authentication.

VOICE_PAIRING_TARGET_REQUIRED

This state has no model.

  • submitVoiceTarget

  • cancelDevicePairing

  • cancelAuthentication

The user must submit a phone number for multi-factor authentication.

MOBILE_ACTIVATION_REQUIRED

  • applicationName: The name of the native application associated with this device.

  • pairingKey: The pairing key used to pair the mobile device.

  • poll

  • cancelDevicePairing

  • cancelAuthentication

The user must activate their mobile device to complete the device pairing.

TOTP_ACTIVATION_REQUIRED

  • pairingKey: The pairing key used to pair the mobile device.

  • keyUri: The URI format of the QR code.

  • activateTotpDevice

  • cancelDevicePairing

  • cancelAuthentication

The user must submit their authenticator activation code to complete the device pairing.

EMAIL_ACTIVATION_REQUIRED

  • email: The user’s specified email address for multi-factor authentication.

  • activateEmailDevice

  • resendOtp

  • cancelDevicePairing

  • cancelAuthentication

The user must submit their email activation code to complete the device pairing.

SMS_ACTIVATION_REQUIRED

  • phone: The user’s specified phone number for multi-factor authentication.

  • activateSmsDevice

  • resendOtp

  • cancelDevicePairing

  • cancelAuthentication

The user must submit their SMS activation code to complete the device pairing.

VOICE_ACTIVATION_REQUIRED

  • phone: The user’s specified phone number for multi-factor authentication.

  • activateVoiceDevice

  • resendOtp

  • cancelDevicePairing

  • cancelAuthentication

The user must submit their voice activation code to complete the device pairing.

PLATFORM_ACTIVATION_REQUIRED

  • rp: The relying party identifier.

  • publicKeyCredentialCreationOptions: A JSON serialization of the client data returned for registering a FIDO2 device.

  • activatePlatformDevice

  • cancelDevicePairing

  • cancelAuthentication

The user must pair their biometrics with the browser to complete the device pairing.

SECURITY_KEY_ACTIVATION_REQUIRED

  • rp: The relying party identifier.

  • publicKeyCredentialCreationOptions: A JSON serialization of the client data returned for registering a FIDO2 device.

  • activateSecurityKeyDevice

  • cancelDevicePairing

  • cancelAuthentication

The user must pair their security key with the browser to complete the device pairing.

AUTHENTICATION_CODE_RESPONSE_REQUIRED

  • Authentication code request data object.

  • poll

  • cancelAuthentication

The user must complete multi-factor authentication via authentication code.

ONE_TIME_DEVICE_OTP_METHOD_TYPE_INPUT_REQUIRED

  • devices: The list of all One-Time Device OTP devices object.

  • changeDevicePermitted (boolean): Indicates whether the user can switch device used for authentication.

  • selectOneTimeDeviceMethod

  • cancelAuthentication

The user must select the one-time device from the list to proceed ahead with authentication flow.

ONE_TIME_DEVICE_OTP_INPUT_REQUIRED

  • Selected One-Time Device Info: object

  • devices: The list of all One-Time Device OTP devices object

  • changeDevicePermitted (boolean): Indicates whether the user can switch device used for authentication

  • checkOtp

  • selectOneTimeDeviceMethod

  • resendOtp

  • cancelAuthentication

Indicates that OTP is required. This state is returned when the user is prompted to provide an OTP. The OTP is one of the following:

Sent to the user in an SMS, voice call, or email.

BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED

This state has no model.

  • continueBiometricDeviceAuthentication

  • cancelAuthentication

The user must provide the server name where the fetch originates.

UPDATE_NICKNAME

This state has no model.

  • updateDeviceNickname

  • skipUpdateDeviceNickname

The user can either add a device nickname or skip adding a device nickname.

Action models

Action Request Model Errors Description

authenticate

  • mobilePayload: The mobile payload. The payload is a small data package created by the PingOne Mobile SDK component that identifies the device, which is used as part of the device’s authorization.

  • Error: REQUEST_FAILED

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_MOBILE_PAYLOAD

Starts an authentication flow. The mobile payload is required in cases of mobile app access. The presence or absence of the mobile payload determines whether the flow is a mobile or web authentication, respectively. You cannot switch midway between mobile and web authentication flows.

selectDevice

  • deviceRef: The device identifier. (required)

  • mobilePayload: The mobile payload. The payload is a small data package created by the PingOne Mobile SDK component that identifies the device, which is used as part of the device’s authorization.

  • Error: REQUEST_FAILED

    ErrorDetail: OTP_RESEND_LIMIT

  • Error: REQUEST_FAILED

    ErrorDetail: PUSH_FAILED

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_DEVICE

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_MOBILE_PAYLOAD

  • Error: REQUEST_FAILED

    ErrorDetail: TOTP_ATTEMPTS_LIMIT

Starts an authentication with the specified deviceId. For example:

{
  "deviceRef":
  {
    "id": "<device ID>"
  }
}

If there is already an authentication in progress, this authentication will be canceled. This action is available only when the user has at least one device, and can also be used as an authentication retry. A mobile payload is required if a user requests access from an untrusted mobile app, and needs to select of one of the user’s trusted devices to approve or deny access.

setDefaultDevice

  • deviceRef: The device identifier. (required)

  • Error: REQUEST_FAILED

    ErrorDetail: OTP_RESEND_LIMIT

  • Error: REQUEST_FAILED

    ErrorDetail: PUSH_FAILED

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_DEVICE

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_MOBILE_PAYLOAD

  • Error: REQUEST_FAILED

    ErrorDetail: TOTP_ATTEMPTS_LIMIT

Sets the user’s default authentication device. For example:

{
  "deviceRef":
  {
    "id": "<device ID>"
  }
}

If there is already an authentication in progress, this authentication will be canceled. This action is available only when the user has at least one device, and can also be used as an authentication retry. A mobile payload is required if a user requests access from an untrusted mobile app, and needs to select of one of the user’s trusted devices to approve or deny access.

checkOtp

  • otp: The OTP (one-time passcode) submitted by the user.

  • Error: VALIDATION_ERROR

    ErrorDetail: INVALID_OTP

  • Error: REQUEST_FAILED

    ErrorDetail: OTP_ATTEMPTS_LIMIT

  • Error: REQUEST_FAILED

    ErrorDetail: TOTP_ATTEMPTS_LIMIT

Validates the provided OTP.

poll

This action has no model.

  • Error: REQUEST_FAILED

  • Error: VALIDATION_ERROR

This action returns the authentication code request status.

cancelAuthentication

This action has no model.

This action has no errors.

This action cancels the current authentication step.

continueAuthentication

This action has no model.

This action has no errors.

This action continues the current authentication flow.

setupMfa

This action has no model.

This action has no errors.

Initiates the multi-factor authentication pairing process.

skipMfa

This action has no model.

  • Error: INVALID_REQUEST

Skip the multi-factor authentication pairing process.

selectDevicePairingMethod

  • devicePairingMethod: DevicePairingMethod

  • Error: VALIDATION_ERROR

    Error detail: INVALID_DEVICE_PAIRING_METHOD

Select a device pairing method to pair as a new multi-factor authentication device.

cancelDevicePairing

This action has no model.

This action has no errors.

Cancel the multi-factor authentication pairing process.

submitEmailTarget

  • email: The user’s specified email address for multi-factor authentication.

  • testMode: Determines whether this multi-factor authentication device is configured as a test device.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_EMAIL

Pair an email address for use as a new multi-factor authentication device.

submitSmsTarget

  • phone: The user’s phone number for multi-factor authentication.

  • testMode: Determines whether this multi-factor authentication device is configured as a test device.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_PHONE

Pair a phone number for use as a new multi-factor authentication device.

submitVoiceTarget

  • phone: The user’s phone number for multi-factor authentication.

  • testMode: Determines whether this multi-factor authentication device is configured as a test device.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_PHONE

Pair a phone number for use as a new multi-factor authentication device.

activateEmailDevice

  • otp: The OTP (one-time passcode) submitted by the user.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_OTP

  • Error: REQUEST_FAILED

    Error detail: OTP_ATTEMPTS_LIMIT

Submit the email activation code to complete the device pairing.

activateSmsDevice

  • otp: The OTP (one-time passcode) submitted by the user.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_OTP

  • Error: REQUEST_FAILED

    Error detail: OTP_ATTEMPTS_LIMIT

Submit the SMS activation code to complete the device pairing.

activateVoiceDevice

  • otp: The OTP (one-time passcode) submitted by the user.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_OTP

  • Error: REQUEST_FAILED

    Error detail: OTP_ATTEMPTS_LIMIT

Submit the voice activation code to complete the device pairing.

activateTotpDevice

  • otp: The OTP (one-time passcode) submitted by the user.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_OTP

  • Error: REQUEST_FAILED

    Error detail: OTP_ATTEMPTS_LIMIT

Activate an authenticator for use as a new multi-factor authentication device.

Submit the authenticator activation code to complete the device pairing.

activatePlatformDevice

  • origin: A string that specifies the server name where the fetch originates, providing the URI scheme and hostname.

  • attestation: The attestation generated by the browser as a response to a user action, such as a fingerprint or click on the security key.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_DATA

activateSecurityKeyDevice

  • origin: A string that specifies the server name where the fetch originates, providing the URI scheme and hostname.

  • attestation: The attestation generated by the browser as a response to a user action, such as a fingerprint or click on the security key.

  • Error: VALIDATION_ERROR

    Error detail: INVALID_DATA

selectOneTimeDeviceMethod

  • One-Time Device Info: object

  • Error: REQUEST_FAILED

  • Error: VALIDATION_ERROR

Starts the One-Time Device OTP authentication flow for the selected device.

resendOtp

This action has no model.

  • Error: REQUEST_FAILED

  • Error: VALIDATION_ERROR

Resend the OTP to the previously selected device.

continueBiometricDeviceAuthentication

  • origin: A string that specifies the server name where the fetch originates.

  • Error: REQUEST_FAILED

  • Error: VALIDATION_ERROR

Continue with biometric device authentication.

updateDeviceNickname

  • id (string): Unique identifier of a trusted device in the PingOne MFA server (required).

  • nickname (string): The device’s nickname (required).

  • Error: RESOURCE_NOT_FOUND

  • Error: REQUEST_FAILED

Give a unique nickname to a device.

skipUpdateDeviceNickname

This action has no model.

This action has no errors.

Skip updating the device nickname during the device pairing flow.

removeDevice

  • deviceRef: The device identifier (required).

  • id (string): Unique identifier of a trusted device in the PingOne MFA server (required).

  • Error: VALIDATION_ERROR

    ErrorDetail: FIELD_REQUIRED, INVALID_DEVICE, or UNRECOGNIZED_FIELD_NAME.

  • Error: INVALID_REQUEST

Remove a device.

See the selectDevice table entry for an example deviceRef.

Objects

Device object
Parameter name Type Description

id

String

Unique identifier of a trusted device in the PingOne MFA server.

type

String

Model of the device. For example, "iPhone 5S". This parameter is empty for OTP devices (SMS, voice, email, TOTP).

name

String

Model of the device, for example, "iPhone 5S". This parameter is empty for OTP devices (SMS, voice, email, TOTP).

nickname

String

The device’s nickname.

applicationId

String

The ID of the customer mobile application.

osVersion

String

The device’s operating system version.

applicationVersion

String

The device’s application version.

target

String

The device’s masked email address/phone number.

usable

boolean

Indicates whether the device is usable.

One-time device OTP device object

type

String

The type of One-Time Device. Possible values - SMS, voice, email.

target

String

The device’s masked email address/phone number.

id

String

Random ID to identify the device within the response.

User object
Parameter name Type Description

username

String

The user’s PingOne user ID or username that was mapped into the adapter.

Resource reference (ResourceRef) object
Parameter name Type Description

id

String

The resource’s identifier.

Device pairing method (DevicePairingMethod) object
Parameter name Type Description

deviceType

String

The type of the device.

applicationName

String

The name of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted.

applicationId

String

The ID of the native application associated with this device, if the device is a mobile application. For other device types, this attribute is omitted.

relyingPartyId

String

Specifies the server name/relying party that is initiating the request. This is required to initiate pairing requests of security key/biometrics devices. If not provided, the PingFederate domain is used.

relyingPartyName

String

Identifies the server name/relying party that is initiating the request. This is required to initiate pairing requests of security key/biometrics devices. If not provided, the string PingFederate is used.

userAgent

String

User agent of device initiating the pairing request. This is applicable only for platform/biometrics device pairing requests. It is passed to PingOne so it can accurately capture additional platform information of the device.

Relying party (RelyingParty) object
Parameter name Type Description

id

String

The relying party identifier.

name

String

The relying party’s human-readable display name.

Authentication code request data object
Parameter Name Type Description

authenticationCodeId

String

A string that specifices the code request ID.

code

String

A string that specifies a universal link such as https://www.example.com/pingonesdk?authentication_code={{generated token}}).

This property can also set a link to a schema application such as pingoneapp://pingonesdk?authentication_code={{generated token}}).

If a universal link or schema application link is not set, the response does not include the pingonesdk?authentication_code={{generated token}} portion of the URL.

userApproval

String

An enumeration that specifies whether the mobile device must verify that the user approves the authentication with the scanned code. Options are REQUIRED and NOT_REQUIRED.

expiresAt

String

A date that specifies the expiration time of authentication code.

updatedAt

String

A date that specifies when the resource was last updated.

createdAt

String

A date that specifies when the resource was created.

application

Application

Mobile application info.

clientContext

ClientContext

Provides relevant information to the mobile application that can be shown to application users.

lifeTime

LifeTime

Specifies the length of time for this authentication code to be valid.

requestStatus

String

A string that specifies the status of the authentication code. Options are UNCLAIMED or CLAIMED.

Applicationid

String

A string that specifies the ID of a mobile application for which the code is valid; only the specified mobile application can scan the QR code.

header

String

Client information header.

body

String

Client information body

Lifetime duration

Integer

Specifies the length of time for this authentication code to be valid.

timeUnit

String

A string that specifies the time unit for the lifeTime.duration property. Options are SECONDS and MINUTES.

There may be values such as SMS message, email configuration type and others, that you want the client to pass to PingFederate for step-up authentication and transaction approval. However, these values cannot be sent using the PingFederate Authentication API, due to security reasons. See Transaction approval setup for details on the available parameters and the instructions for sending them to PingFederate.

Error codes

An error code is returned if the call flow state has not reached a dead end, and the user can still authenticate with a device. In cases where a flow reaches a dead end, the MFA_FAILED state is returned with a corresponding code.

Top level error codes
Error code Message HTTP status

VALIDATION_ERROR

One or more validation errors occurred.

400

REQUEST_FAILED

The request could not be completed. There was an issue processing the request.

400

RESOURCE_NOT_FOUND

The requested resource was not found.

404

Detail level error codes
Error code Message userMessageKey Parent code

INVALID_OTP

An invalid or expired passcode was provided.

authn.api.invalid.otp

VALIDATION_ERROR

OTP_EXPIRED

The passcode has expired.

authn.api.otp.expired

REQUEST_FAILED

INVALID_DEVICE

An invalid device was provided.

VALIDATION_ERROR

OTP_ATTEMPTS_LIMIT

The user performed too many unsuccessful passcode attempts.

authn.api.otp.attempts.limit

REQUEST_FAILED

TOTP_ATTEMPTS_LIMIT

The user performed too many unsuccessful TOTP passcode attempts.

authn.api.totp.attempts.limit

REQUEST_FAILED

OTP_RESEND_LIMIT

The user has resent the passcode the maximum number of times.

authn.api.otp.resend.limit

REQUEST_FAILED

PUSH_FAILED

Failed to send the push message.

authn.api.push.failed

REQUEST_FAILED

INVALID_MOBILE_PAYLOAD

An invalid mobile payload was provided.

VALIDATION_ERROR

INVALID_DEVICE_PAIRING_METHOD

An invalid device pairing method was provided.

VALIDATION_ERROR

INVALID_DATA_DEVICE_PAIRING_METHOD

The request could not be completed. One or more validation errors were in the request.

VALIDATION_ERROR

INVALID_EMAIL

An invalid email address was provided.

pingone.mfa.email.pairing.invalid.email

VALIDATION_ERROR

INVALID_PHONE

An invalid phone number was provided.

pingone.mfa.sms.pairing.invalid.phone or pingone.mfa.voice.pairing.invalid.phone

VALIDATION_ERROR

MAXIMUM_ALLOWED_METHODS_LIMIT

Reached maximum number of allowed methods limit.

pingone.mfa.device.selection.maximum.allowed.methods.limit

VALIDATION_ERROR

MFA_FAILED codes
Error code Message userMessageKey

SERVER_ERROR

Server error.

authn.api.server.error

SERVICE_UNAVAILABLE

Service unavailable.

authn.api.service.unavailable

OTP_RESEND_LIMIT

This error code can also be returned if this is not a dead end.

The user has re-sent the passcode the maximum number of times.

authn.api.otp.resend.limit

PUSH_FAILED

Failed to send the push message.

authn.api.push.failed

NO_RESPONSE_PASSIVE_PUSH

Mobile payload is valid but the extra push verification did not arrive.

authn.api.no.response.passive.push

NO_USABLE_DEVICES

The user has no usable devices for the requested authentication policy.

authn.api.no.usable.devices

MFA_DISABLED

The user does not have MFA enabled.

authn.api.mfa.disabled

USER_NOT_FOUND

The user is not enabled in PingOne or does not exist.

authn.api.user.not.found

DEVICE_INTEGRITY_FAILED

Device integrity validation failed.

authn.api.device.rooted