---
title: OOTB - Financial Services - Device Authentication - Subflow
description: Learn about the OOTB - Financial Services - Device Authentication - Subflow flow, including its purpose, structure, inputs, outputs, and variables.
component: pingone-solutions
page_id: pingone-solutions:financial-services:flow-reference/financial-services-device-authentication-subflow
canonical_url: https://docs.pingidentity.com/pingone-solutions/financial-services/flow-reference/financial-services-device-authentication-subflow.html
revdate: January 1, 2025
section_ids:
  purpose: Purpose
  structure: Structure
  input-schema: Input schema
  output-schema: Output schema
  variables-and-parameters: Variables and parameters
---

# OOTB - Financial Services - Device Authentication - Subflow

The **OOTB - Financial Services - Device Authentication - Subflow** lets users authenticate using a known device.

## Purpose

The **OOTB - Financial Services - Device Authentication - Subflow** enables users to authenticate using a known device. The flow evaluates the devices associated with the user account, invoking the **OOTB - Financial Services - Magic Link Authentication - Subflow** flow if necessary. It then enables the user to select an authentication method and authenticates the user with the selected method.

## Structure

This flow is divided into sections using teleport nodes:

* **Gather Browser And Devices Data**

  Uses a PingOne node to gather the user's existing devices. Next, an HTML node evaluates the user's browser to determine if biometrics are available. The flow then progresses to the **Filter and Mask Devices** section.

* **Filter and Mask Devices**

  Filters the list of available devices to create a list of usable devices, then masks the device information so that the devices can be identified without displaying the full device information. The flow then progresses to the **Check If MFA Enabled And Any Device Active** section.

* **Check If MFA Enabled And Any Device Active**

  Uses a PingOne node to check the user's multi-factor authentication (MFA) status. If MFA is enabled and the user has active devices, the flow progresses to the **Decide Authentication Path Based On MFA Policy** section. If MFA is not enabled or the user has no active devices, the flow progresses to the **Call Magic Link Authentication** section.

* **Decide Authentication Path Based On MFA Policy**

  Uses a PingOne node to begin MFA. If an assertion or a one-time passcode (OTP) is required, the flow progresses to the **Default Device Enrichment** section. If the user has multiple devices, or if the user has only one usable device and magic link is enabled, the flow progresses to the **Device Selection** section. If the user has one usable device and magic link is not enabled, the flow progresses to the **Default Device Enrichment** section.

* **Call Magic Link Authentication**

  Invokes the **OOTB - Financial Services - Magic Link Authentication - Subflow** flow if magic link authentication is enabled. The flow then progresses to the **Return Success** section.

* **Device Selection**

  Presents the user with an HTML page on which they can select a device.

  * If the user selected magic link, the **OOTB - Financial Services - Magic Link Authentication - Subflow** flow is invoked, and the flow then progresses to the **Return Success** section or to the **Device Selection** section depending on the subflow results.

  * If the user selected another authentication method, a PingOne records their selection and the flow progresses to the **Default Device Enrichment** section.

* **Default Device Enrichment**

  Uses a function node to enrich the device details, then the flow progresses to the **Handle TOTP, SMS, Voice, Mobile and Email OTP Authentication** section if an OTP is required, to the **Handle FIDO2 Authentication** section if assertion is required, or to the **Start Mobile Push** section if push confirmation is required.

* **Handle TOTP, SMS, Voice, Mobile and Email OTP Authentication**

  Uses function nodes to begin tracking the number of attempts and check the device type, then presents the user with an HTML page with options to enter the passcode, change devices, or resend the OTP.

  * If the user selects resend, the number of resend attempts is incremented and compared to the maximum. If the maximum hasn't been reached, a PingOne node resends the OTP and a confirmation message displays.

  * If the user selects a different method, the flow progresses to the **Device Selection** section.

  * If the user enters a passcode, a function node converts the value to lowercase, then a PingOne MFA node evaluates the passcode. If the passcode is validated successfully, the authentication method is saved as a variable and the flow progresses to the **Return Success** section.

* **Handle FIDO2 Authentication**

  Presents users with the option to select a different device or continue with the current device. If the user selects a different device, it progresses to the **Device Selection** section. If the user continues, it uses a PingOne MFA node with FIDO assertion to authenticate the user. If the authentication succeeds, the flow progresses to the **Return Success** section.

* **Mobile Push Flow**

  Displays a polling page, then branches based on the user's selection.

  * If the user chooses to use a passcode, the flow progresses to the **Mobile Passcode Flow** section.

  * If the user chooses to use a different device, the flow progresses to the **Device Selection** section.

  * If the user attempts to authenticate using the current device, a PingOne MFA node reads the device authentication.

  The flow branches again based on the authentication status.

  * If the status is complete, a function node saves the authentication method as a variable and the flow progresses to the **Return Success** section.

  * If the status is failed, a function node checks whether the attempt timed out. If so, the flow progresses to the **Mobile App Timed Out** section.

  * If the status is `push configuration required`, polling continues.

  * If the status is `push configuration timed out`, a function node checks if OTP fallback is allowed. If so, the flow progresses to the **Mobile Passcode Flow** section.

* **Mobile Passcode Flow**

  Presents users with an HTML form, with options for retrying, cancelling, or submitting an OTP.

  * If the user retries, a PingOne MFA node performs device selection, and the flow returns to the **Mobile Push Flow** section.

  * If the user cancels, the flow progresses to the **Device Selection** section.

  * If the user submits an OTP, a PingOne MFA node checks the device passcode. A function node then saves the authentication method as a variable, and the flow progresses to the **Return Success** section.

* **Mobile App Timed Out**

  Displays an error screen which presents the user with multiple options.

  * If the user retries, a PingOne MFA node performs device selection, and the flow returns to the **Mobile Push Flow** section.

  * If the user selects `Change Device`, the flow progresses to the **Device Selection** section.

* **Return Success**

  Sends a success JSON response, indicating that the flow completed successfully.

* **Return Error**

  Sends an error JSON response, indicating that the flow completed unsuccessfully.

## Input schema

This flow has the following inputs:

| Input name           | Required | Description                                                                                                     |
| -------------------- | -------- | --------------------------------------------------------------------------------------------------------------- |
| `p1UserId`           | Yes      | The current user's PingOne user ID.                                                                             |
| `resendOtpLimit`     | Yes      | The maximum number of times a new OTP can be sent to the user.                                                  |
| `email`              | No       | The user's email address.                                                                                       |
| `p1MFAPolicyId`      | No       | The PingOne MFA policy to apply.                                                                                |
| `allowedDeviceTypes` | No       | A string containing any or all of `SMS, EMAIL, FIDO2, TOTP, VOICE, MOBILE` indicating the allowed device types. |
| `otpFallbackAllowed` | No       | A Boolean indicating whether a user can fall back to an OTP after an authentication failure.                    |
| `magicLinkEnabled`   | No       | A Boolean indicating whether magic link is enabled.                                                             |
| `companyLogo`        | No       | The company logo.Used only when the main flow was launched using a redirect.                                    |
| `cancelEnabled`      | No       | A Boolean indicating whether the user can cancel an authentication method selection.                            |

## Output schema

This flow has the following outputs:

| Output Name     | Description                                                             |
| --------------- | ----------------------------------------------------------------------- |
| `subflowResult` | The result status of the flow.                                          |
| `authMethod`    | The authentication method used, if the user successfully authenticated. |
| `errorMessage`  | The error message to pass to the parent flow.                           |
| `errorDetails`  | The details of the error that occurred.                                 |

## Variables and parameters

This flow uses the following variable or parameter values:

| Variable name       | Parameter name | Description                                     |
| ------------------- | -------------- | ----------------------------------------------- |
| `resendOtpAttempts` | None           | The number of times the user has resent an OTP. |