--- title: CIAM-Passwordless-Protect-Device-Registration-Subflow description: The CIAM-Passwordless-Protect-Device-Registration-Subflow lets users register a new device. component: pingone-solutions page_id: pingone-solutions:pingone-customers-passwordless:flow_reference/ciam_passwordless_ciam_device_registration canonical_url: https://docs.pingidentity.com/pingone-solutions/pingone-customers-passwordless/flow_reference/ciam_passwordless_ciam_device_registration.html revdate: July 22, 2024 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables: Variables --- # CIAM-Passwordless-Protect-Device-Registration-Subflow The CIAM-Passwordless-Protect-Device-Registration-Subflow lets users register a new device. ## Purpose The CIAM-Passwordless-Protect-Device-Registration-Subflow presents users with options to register any available device type. The flow finds the available devices, then uses an HTML node to let the user select one: * If the user selects **Text Message**, the flow gathers the number and uses an one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* to verify the SMS number. * If the user selects **Email**, the flow uses an OTP to verify the email address. * If the user selects **Biometrics/Security Key**, the flow pairs the current device. * After any successful device registration, or if the user selects password, the flow redirects to the **CIAM-Passwordless-Protect-Account-Registration-Subflow** parent flow. ## Structure Diagram of the structure, as described below. This flow is divided into sections using teleport nodes: * **Gather device types that user can register with** Uses a PingOne node to retrieve the user's current devices and a hidden HTML form to gather browser information. The flow then uses multiple comparison nodes to determine if the user can register another device. If so, the flow progresses to the **User select device to register with** section. If not, the flow progresses to the **Return Error** section. * **User select device to register with** Presents the user with an HTML page where they can select a device from one of the available registration options. If the user selects SMS, email, or FIDO2, the flow progresses to the corresponding section: **User selected SMS**, **User selected email**, or **Register FIDO2 device and enable MFA for user**. If the user selects password or cancel, the flow progresses to the **Return Success** section. * **User Selected SMS** Presents the user with an HTML form on which they can enter a phone number. The flow then progresses to the **Prepare to register OTP device** section. * **User selected email** Checks if the user's email is known, and presents the user with an HTML form on which they can enter an email if the email is not known. The flow then progresses to the **Prepare to register OTP device** section. * **Prepare to register OTP device** uses a PingOne node to create an OTP device, stores the device ID as a variable, then progresses to the **Ask for OTP** section. * **Ask for OTP** Presents the user with an HTML form on which they can enter the OTP or resend it. If they enter the OTP, the flow progresses to the **Activate OTP and enable MFA for user** section. If they resend, the flow progresses to the **Resend OTP** section. * **Resend OTP** Uses PingOne nodes to delete the previous OTP device and create a new one. The flow then stores the device ID as a variable and displays a message to the user indicating that the OTP has been resent. * **Activate OTP and enable MFA for user** Uses PingOne nodes to activate the device to which the OTP was sent, then update the user's MFA status. The flow then progresses to the **Return Success** section. * **Register FIDO2 device and enable MFA for user** Uses a PingOne node to create a FIDO2 device, then presents an HTML page from which the user can confirm the registration. Two PingOne nodes activate the FIDO device, then update the user's MFA status. The flow then progresses to the **Return Success** section. * **Return Success** Sends a success JSON response, indicating that the flow has completed successfully. * **Return Error** Sends an error JSON response, indicating that the flow completed unsuccessfully. ## Input schema This flow has the following inputs. | Input name | Required | Description | | ---------------------- | -------- | ------------------------------------------------------------------------------------------ | | `email` | Yes | The email address to use for registration. | | `pingOneUserId` | Yes | The user ID of the current user. | | `allowCancel` | Yes | Indicates whether to display the cancel option on the initial user page. | | `passwordlessRequired` | Yes | Indicates whether all users are required to use passwordless authentication. | | `allowedDeviceTypes` | Yes | A string containing any or all of `SMS, EMAIL, FIDO2` indicating the allowed device types. | | `ciam_companyLogo` | No | The company logo.Used only when the main flow was launched using the widget. | ## Output schema This flow has the following outputs. | Output name | Description | | -------------------- | ---------------------------------------------------------- | | `ciam_subflowResult` | The result status of the flow. | | `ciam_authMethod` | The authentication method that was configured by the flow. | | `ciam_errorMessage` | The error message to display in the parent flow. | ## Variables This flow uses the following variables. | Variable name | Description | | ------------------ | -------------------------------------------- | | `ciam_logoStyle` | The HTML style to use for your company logo. | | `ciam_logoUrl` | The URL for your company logo. | | `ciam_companyName` | Displays the name of your company. |