Supporting multiple access mode
Use multiple access mode to extend authentication sessions for low-risk devices and reduce security risks for multi-user devices.
Multiple access mode requires:
This topic describes some sample configurations. Administrators should determine actual organization requirements. For more information, see the PingFederate documentation. |
Some organizations want to offer their users an option for the system to retain successful authentication for a long period of time (long-lived session). For example, an organization whose policy challenges the user with the HTML Form Adapter followed by PingID multi-factor authentication (MFA) might require users authenticate only once every seven days.
Organizations typically have one or more of the following use cases:
-
An organization-owned single-user device, for example, an employee’s laptop or desktop computer. This is the predominant use case.
-
An organization-owned multiple-users device, such as a kiosk or shared tablet.
-
A device not owned by the organization that is used by single or multiple users, such as an internet cafe device or a home computer.
In a long-lived session scenario, an organization-owned accessing device allocated to an individual user for their sole use might be considered a low-risk scenario. However, secure long-lived sessions pose a challenge for organizations with teams whose users share an accessing device, or for users who might invoke authentication from a home computer or public computer.
In addition to organization-owned, single-user machine scenarios, admins can configure single sign-on (SSO) with MFA, supporting the following features:
-
Indicate that a browser is running on a public device, such as on an organization-owned kiosk machine. User information will not be saved on that device.
-
Allow users to indicate that the browser used for access is running on a public device, or on a device not regularly used for secure access, and assure users that they can securely sign on without concern about user information being kept on that device.
-
Allow users the option to be deleted from a certain accessing device in order to avoid cases of other users later signing on to the same machine and being authenticated based on the long-lived session policy applied to a previous user’s recent authentication.
-
In terms of security compliance, ensure that when a user logs out, both first factor and MFA cookies are deleted and recent authentication policies will no longer apply.
The PingID recent authentication policy rules are relevant only for private devices. Session information is not retained on termination of sessions on shared devices. For more information regarding the recent authentication access policy, refer to the following topics in the PingID admin guide: |
When multiple access mode is configured, and a user attempts to access a protected resource, PingFederate analyzes parameters returned from the access request and determines whether the accessing device is private or shared. Based on the results, the process functions according to the following use case scenarios:
- Private accessing device
-
-
User information, including first factor and recent MFA information, is stored on the accessing device.
-
PingID checks the recent MFA, and the user is not required to reauthenticate until the time limit expires on the recent authentication policy.
-
When PingFederate is configured for single logout (SLO), and a signed-on user signs out from any accessed resource protected by PingFederate and PingID MFA on a private device:
|
- Shared accessing device
-
-
No user information is stored on the accessing device.
-
Because session information is not stored on shared devices, there is no relevance to the recent authentication policy.
-
- Unknown accessing device
-
When the system is unable to determine whether the accessing device is private or shared, the HTML sign on form displays the This is my device check box, prompting the user to indicate the device status at sign on.
This is my device check box:
-
Unchecked (default): Regards the accessing device as a shared device.
-
Checked: Regards the accessing device as a private device.