Configuring backup authentication methods
Configure backup authentication so that a user can still sign on if they do not have access to their primary authentication device, such as if they forget their device at home, or their device is lost or stolen.
Before you begin
Ensure the relevant attributes are configured in your user directory and are up-to-date.
Attributes must be entered in the correct format. For more information, see Configuring the phone number attribute in PingOne, Configuring LDAP attributes in PingFederate, Integrate PingID with AD FS, step 5 of Configuring advanced settings, and Configuring PingID MFA for Microsoft Azure AD Conditional Access.
About this task
Backup authentication uses the email and phone attributes stored in your organization’s user directory to send a one-time passcode (OTP) to the user through SMS, voice, or email. This option is available for web SSO only.
If you enable one or more backup authentication types, and the user has at least one valid phone number or email address listed in the user directory, a Forgot Your Device? link is shown on the authentication screen. When the user clicks Forgot Your Device?, they are presented with a list of the backup authentication options available for their account.
If a policy is applied to your organization, the Forgot Your Device? link only appears if either the authenticate rule action, or a rule action with a fallback, such as fingerprint with OTP fallback, is applied to the policy.
You can include the following directory attributes as options for backup authentication:
-
Email
-
Secondary email
-
Voice
-
SMS
Phone numbers must be saved in Google Library format, which specifies that all phone numbers must include "+" and the international country code. Only attributes listed in the required format are displayed as a backup authentication method.
PingOne supports the use of a single email address and a single phone number, which can be used for both SMS and Voice. |
Steps
-
Sign on to the admin portal and go to Setup → PingID → Configuration.
-
In the Authentication section, go to Alternate Authentication Methods.
-
To enable an authentication method as backup authentication, in the relevant row, select the Backup Authentication check box.
-
Click Save.
-
To select backup authentication as an allowed authentication method when creating a PingID policy, see PingID policy.
Result
The next time a user signs on or performs an action that requires authentication, if they have a valid backup authentication method, they can click Forgot Your Device? and authenticate with a backup device.
When the user clicks Forgot Your Device?, PingID sends a device change notification to the paired device and invalidates the original authentication request. To view the user flow, see Authenticating using a backup device. |