Authentication method selection and priority - use cases
See the following table for detailed examples of use cases where the configuration at the organization level can affect the implementation of an authentication policy.
Use Case | User Paired Devices | Allowed Authentication Methods | Rule Action | Result | Reason |
---|---|---|---|---|---|
1 |
|
All methods |
User is requested to authenticate through email |
Although the primary is SMS, the user is requested to authenticate using email as the rule action requires email. |
|
2 |
|
YubiKey |
Authenticate |
User is requested to authenticate with YubiKey |
User is automatically prompted to authenticate using a YubiKey, regardless of whether the configuration is set to Default to Primary or Prompt user to select. This is because the user only has one allowed authentication method paired with their account. |
3 |
|
SMS/ Voice/ Email |
Authenticate |
User is unable to authenticate |
|
4 |
|
Mobile App Biometrics/ Swipe / One-time passcode |
Authenticate |
Authentication denied |
User does not have one of the allowed authentication methods paired with their account. |
5 |
|
All methods |
SMS |
Authentication denied |
User does not have the required authentication method paired with their account. |
6 |
The PingID mobile app (Swipe disabled) |
Mobile App Biometrics/ Swipe |
Authenticate |
Authentication denied |
Swipe is disabled in the PingID mobile app and the user is unable to receive a push notification. As a one-time passcode (OTP) is not included in the Allowed Authentication Methods, the user cannot use an OTP, even if OTP Fallback is enabled. |
7 |
The PingID mobile app (Swipe disabled) |
All methods |
Mobile App Biometrics (required) |
Authentication denied |
Mobile App Biometrics (required) permits authentication with biometrics only, and does not allow use of an OTP. “Swipe disabled” prevents the user from receiving a push notification to their device, preventing the user from authenticating with biometrics. |
8 |
The PingID mobile app where:
|
Mobile App Biometrics |
Mobile App Biometrics (required) |
The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked. |
If a device does not support biometrics, PingID allows the user to authenticate using swipe as an exception. If the device supports biometrics, but biometrics are not defined on the device, the user can use swipe. This is possible because biometrics is enabled (and not required) by the biometrics configuration |
9 |
The PingID mobile app where:
|
Mobile App Biometrics |
Mobile App Biometrics (required) |
The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked. |
Although biometrics is required, because the user’s device does not support biometrics, the user is still able to authenticate with swipe (if device unlocked), or using their device passcode (if device is locked). |
10 |
The PingID mobile app where:
|
Mobile App Biometrics |
Mobile App Biometrics (required) |
The user is not able to authenticate |
Biometrics are required at the configuration level, and biometrics authentication is possible on the user’s device. The user is not able to authenticate because they have not defined biometrics on the device. |
11 |
The PingID mobile app where:
|
Mobile App Biometrics / Swipe |
Authenticate |
User is able to authenticate with biometrics |
Biometrics have a higher priority over swipe, and the user is prompted to authenticate with biometrics. |
12 |
Where the browser used does not provide WebAuthn support required for security key. |
All methods |
Authenticate |
User is able to authenticate with email or SMS |
|
13 |
|
All methods |
Security Key |
User is unable to authenticate |
Even though the user has a security key paired with their account, they are signing on using a browser that does not support WebAuthn. |
14 |
Where the browser supports WebAuthn. Policy rule authenticating from a new device is applied and requires a security key. |
All methods |
Security key |
User is able to authenticate with a Security key only. In the case of a phishing attack, the user is not able to authenticate with any device. |
This configuration guards all devices against a phishing attack. |
15 |
Where the browser used does not provide WebAuthn Platform support. |
All methods |
FIDO2 Biometrics |
User is unable to authenticate |
Even though the user has a FIDO2 biometrics device paired with their account, they are signing on using a browser that does not support WebAuthn. |
16 |
Where the browser supports a WebAuthn Platform. Policy rule authenticating from a new device is applied and requires a security key. |
All methods |
FIDO2 |
User is able to authenticate with FIDO2 only. In the case of a phishing attack, the user is not able to authenticate with any device. |
This configuration guards all devices against a phishing attack. |