PingOne

Support for stateless one-time device OTP flow

The PingOne MFA Integration Kit supports one-time device OTP authentication flow to initiate and complete an MFA action for SMS, voice and email targets without requiring those devices to be previously paired.

The PingOne authentication policy configuration has no impact on this flow.

Process Flow

  1. The PingOne MFA adapter invokes this flow if a chained attribute with name support-one-time-device-otp is received with value as TRUE along with valid target device information.

  2. The target device for email, voice, and SMS types are provided through one-time-device-email, one-time-device-voice and one-time-device-sms respectively. The value can be a single-valued string or multi-valued attribute value from the previous adapter.

    Expected Attribute Name Expeted Value Description

    support-one-time-device-otp

    Boolean: True or False

    True is required for consideration of this flow.

    one-time-device-email

    Single-valued string or mutli-valued string for multiple values.

    The OTP will be sent to this email address.

    one-time-device-sms

    Single-valued string or mutli-valued string for multiple values.

    The phone number must be in the E.164 standard format.

    The OTP will be sent to this phone number through SMS.

    one-time-device-voice

    Single-valued string or mutli-valued string for multiple values.

    The phone number must be in the E.164 standard format.

    The OTP will be delivered to this phone through voice call.

  3. If more than one target is specified, users are transitioned first to the device selection step, and to OTP authentication flow after device selection. If the flow is invoked with just one specific target device, the user goes directly through the OTP authentication flow for that device.