--- title: CIAM-Passwordless-Protect-Account-Registration-Subflow description: The CIAM-Passwordless-Protect-Account-Registration-Subflow lets users register a new account. component: pingone-solutions page_id: pingone-solutions:pingone-customers-passwordless:flow_reference/ciam_passwordless_ciam_account_registration canonical_url: https://docs.pingidentity.com/pingone-solutions/pingone-customers-passwordless/flow_reference/ciam_passwordless_ciam_account_registration.html revdate: July 22, 2024 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables-and-parameters: Variables and parameters --- # CIAM-Passwordless-Protect-Account-Registration-Subflow The CIAM-Passwordless-Protect-Account-Registration-Subflow lets users register a new account. ## Purpose The **CIAM-Passwordless-Protect-Account-Registration-Subflow** presents users with the ability to create a new account. The flow first uses PingOne Protect to check for bots and high-risk users before proceeding to account creation. Depending on your environment's properties, the flow can let a user create a password, add an multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* device using the **CIAM-Passwordless-Protect-Device-Registration-Subflow** flow, and view and agree to an agreement using the **CIAM-Passwordless-Protect-Agreement(ToS)-Subflow** flow. ## Structure ![Diagram of the structure, as described below.](../_images/ewq1705439247167.png) This flow is divided into sections using teleport nodes: * **Progressive Profiling** Uses hidden nodes to enable a PingOne Protect analysis and initialize variables, then presents users with an HTML form on which to enter their email address. * If the user clicks **Sign On**, the flow progresses to the **Return Success** section. * If the user clicks **Register** the flow progresses to the **PingOne Protect Threat Detection Analysis** section. After the **PingOne Protect Threat Detection Analysis** section has completed, a PingOne node looks for a user with the specified email address. If none is found, the flow progresses to the **Verify Email** section. After the **Verify Email** section has completed, an HTML form lets the user enter a first and last name. * If the user clicks **Back**, the flow returns to the beginning of the **Progressive Profiling** section. * If the user clicks **Register**, the flow progresses to the **Create Account** section. * PingOne Protect Threat Detection Analysis Invokes the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow. If the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow completes successfully, the PingOne Protect values are saved as variables. A function node then examines the risk score. * If the risk score is low or medium, the flow returns to the **Progressive Profiling** section. * If the risk score is high, an error message is displayed. If the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow does not complete successfully, any available PingOne Protect values are saved as variables, then the flow progresses to the **Return Error** section. * **Create Account** Uses a function node to check if passwordless is required. If passwordless isn't required, an HTML node lets the user enter a password and click **Register**, **Other**, or **Back**. * If the user clicks **Register**, function nodes verify that the password and confirmed password match and that the password is valid, then a PingOne node creates the new user. If the user creation succeeds, the flow progresses to the **Accept Agreement and Verify Email** section. * If the user clicks **Other**, a PingOne node creates the new user. If the user creation succeeds, the flow progresses to the **Accept Agreement and Verify Email** section. * If the user clicks **Back**, the flow returns to the second HTML node in the **Progressive Profiling** section. * **Accept Agreement and Verify Email** Invokes the **CIAM-Passwordless-Protect-Agreement(ToS)-Subflow** flow to ensure that the user agrees to any required agreements, then uses a PingOne node to enroll the email address as an MFA device without verification. The flow then progresses to the **Device Registration** section. * **Device Registration** Checks if the user selected passwordless. * If the user selected passwordless, the flow progresses to the **Return Success** section. * If the user did not select passwordless, the **CIAM-Passwordless-Protect-Device-Registration-Subflow** flow is invoked, after which the flow progresses to the **Return Success** section. * **Set Password** Uses an HTML node to prompt the user for a new password, verifies that the password matches the confirmed password, and uses a PingOne node to set the password. The flow then progresses to the **Return Success** section. * **Verify Email** Uses a PingOne MFA node to create a device authentication, then uses an HTML template to prompt the user for the verification code. * If the user clicks **Verify**, a PingOne MFA node verifies the passcode, then the flow returns to the **Progressive Profiling** section. * If the user clicks **Resend**, the number of resend attempts is increased by one. If the number of resend attempts is less than five, the flow then returns to the beginning of the **Verify Email** section. * **Return Success** Sends a success JSON response, indicating that the flow has completed successfully. * **Return Error** Sends an error JSON response, indicating that the flow completed unsuccessfully. A comparison node also checks for a risk ID, and uses a PingOne node to update the risk evaluation if a risk ID is present. ## Input schema This flow has the following inputs: | Input name | Required | Description | | --------------------------- | -------- | ------------------------------------------------------------------------------------------ | | `ciam_passwordlessRequired` | Yes | Indicates whether passwordless authentication is required for sign-on. | | `allowedDeviceTypes` | Yes | A string containing any or all of `SMS, EMAIL, FIDO2` indicating the allowed device types. | | `ciam_agreementEnabled` | Yes | Indicates whether agreement is enabled for user registration. | | `ciam_agreementId` | Yes | The ID of the agreement to present to users. | | `ciam_companyLogo` | No | The company logo.Used only when the main flow was launched using the widget. | | `ciam_riskPolicyID` | None | The PingOne Protect policy ID. | ## Output schema This flow has the following outputs: | Output name | Description | | -------------------- | --------------------------------------------- | | `ciam_subflowResult` | The result status of the flow. | | `ciam_pingOneUserId` | The user ID of the current user. | | `ciam_authMethod` | The authentication method chosen by the user. | | `ciam_errorMessage` | The error message text to display, if any. | ## Variables and parameters This flow uses the following variable or parameter values: | Variable name | Parameter name | Description | | --------------------------- | ------------------------ | ---------------------------------------------------------------------- | | `ciam_passwordlessRequired` | `isPasswordlessRequired` | Indicates whether passwordless authentication is required for sign-on. | | `ciam_logoStyle` | None | The HTML style to use for your company logo. | | `ciam_logoUrl` | None | The URL for your company logo. | | `ciam_companyName` | None | Displays the name of your company. | | `ciam_riskPolicyID` | None | The PingOne Protect policy ID. | | `ciam_protectPredictor` | None | The recommendation made by PingOne Protect. | | `ciam_protectDeviceStatus` | None | The status of the user's device as determined by PingOne Protect. | | `ciam_protectRiskID` | None | The risk ID of the current user as used by PingOne Protect. | | `ciam_protectRiskLevel` | None | The risk level of the current user as determined by PingOne Protect. |