Support for stateless one-time device OTP flow
The PingOne MFA Integration Kit supports one-time device OTP authentication flow to initiate and complete an MFA action for SMS, voice and email targets without requiring those devices to be previously paired.
The PingOne authentication policy configuration has no impact on this flow. |
Process Flow
-
The PingOne MFA adapter invokes this flow if a chained attribute with name
support-one-time-device-otp
is received with value asTRUE
along with valid target device information. -
The target device for email, voice, and SMS types are provided through
one-time-device-email
,one-time-device-voice
andone-time-device-sms
respectively. The value can be a single-valued string or multi-valued attribute value from the previous adapter.Expected Attribute Name Expeted Value Description support-one-time-device-otp
Boolean: True or False
True is required for consideration of this flow.
one-time-device-email
Single-valued string or mutli-valued string for multiple values.
The OTP will be sent to this email address.
one-time-device-sms
Single-valued string or mutli-valued string for multiple values.
The phone number must be in the E.164 standard format.
The OTP will be sent to this phone number through SMS.
one-time-device-voice
Single-valued string or mutli-valued string for multiple values.
The phone number must be in the E.164 standard format.
The OTP will be delivered to this phone through voice call.
-
If more than one target is specified, users are transitioned first to the device selection step, and to OTP authentication flow after device selection. If the flow is invoked with just one specific target device, the user goes directly through the OTP authentication flow for that device.