Healthcare - CSR Help Desk - Device Authentication - Subflow

The Healthcare - CSR Help Desk - Device Authentication - Subflow lets users authenticate using a known device.

Purpose

The Healthcare - CSR Help Desk - Device Authentication - Subflow enables users to authenticate using a known device. The flow evaluates the devices associated with the user account, then enables the user to select an authentication method and authenticates the user with the selected method.

Structure

This flow is divided into sections using teleport nodes:

Gather Devices Data

Uses a PingOne node to gather the user’s existing devices. Next, a function node filters the list of available devices to create a list of usable devices. The flow then progresses to the Filter and Mask Devices section.

Filter and Mask Devices

Uses a function node to mask the device information so that the devices can be identified without displaying the full device information, then uses a PingOne node to check the user’s multi-factor authentication (MFA) status. The flow then progresses to the Check If MFA Enabled And Any Device Active section.

Check If MFA Enabled And Any Device Active

If MFA is enabled and the user has active devices, the flow uses a PingOne node to begin MFA. The flow then progresses to the Decide Authentication Path Based On MFA Policy section.

Decide Authentication Path Based On MFA Policy

Uses a function node to branch based on the response status:

If a one-time passcode (OTP) is required, the flow progresses to the Default Device Enrichment section.
If device selection is required, a function node checks if the user has one available device:
- If the user has one device, a PingOne node begins MFA, then the flow progresses to the Default Device Enrichment section.
- If the user has more than one device, the flow progresses to the Device Selection section.

Device Selection

Presents the user with an HTML page on which they can select a device:

If the user cancels, the flow progresses to the Return Success section.
If the user selects a device, a PingOne node processes the device selection, and the flow progresses to the Default Device Enrichment section.

Default Device Enrichment

Uses a function node to enrich the device details, then the flow progresses to the Handle SMS, Voice, Email OTP Authentication section if an OTP is required.

Handle SMS, Voice, Email OTP Authentication

Uses function nodes to begin tracking the number of attempts and check the device type, then presents the user with an HTML page with options to enter the passcode, change devices, or resend the OTP:

If the user selects resend, the number of resend attempts is incremented and compared to the maximum. If the maximum hasn’t been reached, a PingOne node resends the OTP and a confirmation message displays.
If the user selects a different method, the flow progresses to the Device Selection section.
If the user enters a passcode, a function node converts the value to lowercase, then a PingOne MFA node evaluates the passcode. If the passcode is validated successfully, the authentication method is saved as a variable and the flow progresses to the Return Success section.

Mobile Passcode Flow

Presents users with an HTML form, with options for retrying, cancelling, or submitting an OTP:

If the user retries, a PingOne MFA node performs device selection, and the flow returns to the Mobile Passcode Flow section.
If the user cancels, the flow progresses to the Device Selection section.
If the user submits an OTP, a PingOne MFA node checks the device passcode. A function node then saves the authentication method as a variable, and the flow progresses to the Return Success section.

Return Success: Sends a success JSON response, indicating that the flow completed successfully.
Return Error: Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs:

Input name Required Description

Input name	Required	Description
`p1UserId`	Yes	The current user’s PingOne user ID.
`resendOtpLimit`	Yes	The maximum number of times a new OTP can be sent to the user.
`email`	No	The user’s email address.
`p1MFAPolicyId`	No	The PingOne MFA policy to apply.
`allowedDeviceTypes`	No	A string containing any or all of `SMS, EMAIL, FIDO2, TOTP, VOICE, MOBILE` indicating the allowed device types.
`companyLogo`	No	The company logo. Used only when the main flow was launched using a redirect.
`cancelEnabled`	No	A Boolean indicating whether the user can cancel an authentication method selection.

p1UserId

Yes

The current user’s PingOne user ID.

resendOtpLimit

Yes

The maximum number of times a new OTP can be sent to the user.

email

The user’s email address.

p1MFAPolicyId

The PingOne MFA policy to apply.

allowedDeviceTypes

A string containing any or all of SMS, EMAIL, FIDO2, TOTP, VOICE, MOBILE indicating the allowed device types.

companyLogo

The company logo.

Used only when the main flow was launched using a redirect.

cancelEnabled

A Boolean indicating whether the user can cancel an authentication method selection.

Output schema

This flow has the following outputs:

Output name Description

Output name	Description
`subflowResult`	The result status of the flow.
`authMethod`	The authentication method used, if the user successfully authenticated.
`errorMessage`	The error message to pass to the parent flow.
`errorDetails`	The details of the error that occurred.

subflowResult

The result status of the flow.

authMethod

The authentication method used, if the user successfully authenticated.

errorMessage

The error message to pass to the parent flow.

errorDetails

The details of the error that occurred.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Parameter name Description

Variable name	Parameter name	Description
`resendOtpAttempts`	None	The number of times the user has resent an OTP.
`authenticators`	None	The authentication method used.

resendOtpAttempts

None

The number of times the user has resent an OTP.

authenticators