PingID Administration Guide

Rule authentication actions

The list of authentication actions that you can choose to enforce within a policy rule is determined by the authentication methods allowed at the policy level.

Rule authentication actions and deprecated actions
Authentication Action Description

Approve

Approves access without requiring PingID authentication.

This rule action cannot be used in a PingFederate passwordless flow, because at least one factor authentication is required to use the Approve action.

Authenticate

Allows a user to authenticate using any of the authentication methods available to the user and allowed at the policy level.

If a user has a mobile app with both biometrics and swipe capabilities, biometrics authentication is given priority.

Authenticator app

Allows a user to authenticate using an authenticator app only, such as Google authenticator.

Deny

Denies access.

Desktop

Allows a user to authenticate using a desktop app only.

Email

Allows a user to authenticate using an email app only.

FIDO2 Biometrics

Allows a user to authenticate using device built in biometrics on a FIDO2 biometrics device. This option is only available for web-based policies.

Mobile App Biometrics

Allows a user to authenticate with the PingID mobile app using biometrics authentication only. This action works according to the biometrics configuration defined in the admin portal.

Swipe authentication is also permitted if the following conditions are met:

  • If Device Biometrics is configured as Enabled, and biometrics are not defined on the user’s device.

  • If Device Biometrics is not configured as Require in the admin configuration page.

  • If biometrics are not supported on the user’s device.

A one-time passcode fallback is also permitted when selecting this option.

DEPRECATED: Fingerprint (with fallback)

  • If the primary or selected device is the PingID mobile app, fingerprint authentication is used according to the fingerprint configuration defined in the admin portal. Fingerprint is the preferred method, but it is also possible to authenticate using swipe or a one-time passcode (OTP).

  • If the primary or selected device is not the PingID mobile app, the user authenticates with that device.

Number matching

Authenticate by number matching is permitted.

  • Number matching has priority overMobile App Biometrics andSwipe authentication methods.

  • If Mobile app biometrics is set to Require in the Configuration tab, the user must authenticate successfully using biometrics and then authenticate using number matching.

Oath Token

Allows a user to authenticate using an OATH token only.

One-time passcode

One-time passcode (required)

Allows a user to authenticate using a OTP obtained from the PingID mobile app only.

DEPRECATED:

One-time passcode (with fallback)

  • If the primary or selected device is the PingID mobile app, the user must enter an OTP using the mobile app.

Swipe or fingerprint authentication is not permitted in this case.

  • If the primary or selected device is not the PingID mobile app, the user authenticates with that device.

SMS

Allows a user to authenticate using a passcode obtained by SMS only.

Security Key

Allows a user to authenticate using a security key only. This option is only available for web-based policies.

Swipe

Swipe (required)

Allows a user to authenticate using the PingID mobile app swipe action only.

A OTP fallback is also possible when selecting this option.

DEPRECATED: Swipe (with fallback)

  • If the primary or selected device is the PingID mobile app, swipe is always required.

Even if the user has fingerprint authentication defined on their device, fingerprint is not required in this case.

  • If the primary or selected device is not the PingID mobile app, the user authenticates with that device.

Voice

Allows a user to authenticate using a passcode obtained by a voice message only.

YubiKey

Allows a user to authenticate using a YubiKey only.