PingID Administration Guide

Authentication method selection and priority - use cases

See the following table for detailed examples of use cases where the configuration at the organization level can affect the implementation of an authentication policy.

Authentication method selection by specific use cases
Use Case User Paired Devices Allowed Authentication Methods Rule Action Result Reason

1

  • SMS (primary)

  • Email

All methods

Email

User is requested to authenticate through email

Although the primary is SMS, the user is requested to authenticate using email as the rule action requires email.

2

  • Desktop (primary)

  • Email

  • YubiKey

YubiKey

Authenticate

User is requested to authenticate with YubiKey

User is automatically prompted to authenticate using a YubiKey, regardless of whether the configuration is set to Default to Primary or Prompt user to select. This is because the user only has one allowed authentication method paired with their account.

3

  • The PingID mobile app (primary)

  • SMS

  • Voice

SMS/ Voice/ Email

Authenticate

User is unable to authenticate

  • Default to Primary: Even though the user’s primary device is disallowed (PingID Mobile app), the user is prompted to authenticate with the device that was enrolled first out of the list of allowed secondary devices.

  • Prompt user to select: the user is presented with a list of secondary devices. The user selects the secondary device with which they want to authenticate.

4

  • SMS (primary)

  • YubiKey

  • Email

Mobile App Biometrics/ Swipe / One-time passcode

Authenticate

Authentication denied

User does not have one of the allowed authentication methods paired with their account.

5

  • The PingID mobile app (primary)

  • Desktop

  • Voice

All methods

SMS

Authentication denied

User does not have the required authentication method paired with their account.

6

The PingID mobile app (Swipe disabled)

Mobile App Biometrics/ Swipe

Authenticate

Authentication denied

Swipe is disabled in the PingID mobile app and the user is unable to receive a push notification.

As a one-time passcode (OTP) is not included in the Allowed Authentication Methods, the user cannot use an OTP, even if OTP Fallback is enabled.

7

The PingID mobile app (Swipe disabled)

All methods

Mobile App Biometrics (required)

Authentication denied

Mobile App Biometrics (required) permits authentication with biometrics only, and does not allow use of an OTP.

“Swipe disabled” prevents the user from receiving a push notification to their device, preventing the user from authenticating with biometrics.

8

The PingID mobile app where:

  • Device supports biometrics

  • Biometrics not defined on device

Mobile App Biometrics

Mobile App Biometrics (required)

The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked.

If a device does not support biometrics, PingID allows the user to authenticate using swipe as an exception. If the device supports biometrics, but biometrics are not defined on the device, the user can use swipe.

This is possible because biometrics is enabled (and not required) by the biometrics configuration

9

The PingID mobile app where:

  • Device does not support biometrics

  • Biometrics required at configuration level

Mobile App Biometrics

Mobile App Biometrics (required)

The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked.

Although biometrics is required, because the user’s device does not support biometrics, the user is still able to authenticate with swipe (if device unlocked), or using their device passcode (if device is locked).

10

The PingID mobile app where:

  • Device supports biometrics

  • Biometrics not defined on device

  • Biometrics required at configuration level

Mobile App Biometrics

Mobile App Biometrics (required)

The user is not able to authenticate

Biometrics are required at the configuration level, and biometrics authentication is possible on the user’s device. The user is not able to authenticate because they have not defined biometrics on the device.

11

The PingID mobile app where:

  • Device supports biometrics

  • Biometrics are defined on device

  • Biometrics required at configuration level

Mobile App Biometrics / Swipe

Authenticate

User is able to authenticate with biometrics

Biometrics have a higher priority over swipe, and the user is prompted to authenticate with biometrics.

12

  • Security key (primary)

  • Email

  • SMS

Where the browser used does not provide WebAuthn support required for security key.

All methods

Authenticate

User is able to authenticate with email or SMS

  • Default to Primary: Even though the user’s primary device is disallowed because the browser does not support WebAuthn, the user is prompted to authenticate with the secondary device that was enrolled first out of the list of allowed secondary devices.

  • Prompt user to select: A security key is not included in the list of devices, as the browser does not support WebAuthn. The user is presented with a list of secondary devices only. The user selects the secondary device with which they want to authenticate.

13

  • Security key (primary)

  • Email

  • SMS Where the browser used does not provide WebAuthn support required for security key.

All methods

Security Key

User is unable to authenticate

Even though the user has a security key paired with their account, they are signing on using a browser that does not support WebAuthn.

14

  • The PingID mobile app (primary)

  • Security key

  • Email

Where the browser supports WebAuthn. Policy rule authenticating from a new device is applied and requires a security key.

All methods

Security key

User is able to authenticate with a Security key only. In the case of a phishing attack, the user is not able to authenticate with any device.

  • If authenticating from a new device a security key is required.

  • If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the accessing from new device policy rule. Even though the user has other devices paired, they are prompted to authenticate using a security key only, and cannot change device due to the policy rule restrictions.

This configuration guards all devices against a phishing attack.

15

  • FIDO2 biometrics (primary)

  • Email

  • SMS

Where the browser used does not provide WebAuthn Platform support.

All methods

FIDO2 Biometrics

User is unable to authenticate

Even though the user has a FIDO2 biometrics device paired with their account, they are signing on using a browser that does not support WebAuthn.

16

  • The PingID mobile app (primary)

  • FIDO2 Biometrics

  • Email

Where the browser supports a WebAuthn Platform. Policy rule authenticating from a new device is applied and requires a security key.

All methods

FIDO2

User is able to authenticate with FIDO2 only. In the case of a phishing attack, the user is not able to authenticate with any device.

  • If authenticating from a new device, FIDO2 biometrics device is required.

  • If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the accessing from new device policy rule. Even though the user has other devices paired, they are prompted to authenticate using a FIDO2 biometrics device only and cannot change device due to the policy rule restrictions.

This configuration guards all devices against a phishing attack.