--- title: CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow description: The CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow lets users view and manage the devices associated with their account. component: pingone-solutions page_id: pingone-solutions:pingone-customers-plus:flow_reference/ciam_plus_ciam_pm_device_management canonical_url: https://docs.pingidentity.com/pingone-solutions/pingone-customers-plus/flow_reference/ciam_plus_ciam_pm_device_management.html revdate: June 28, 2024 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables-and-parameters: Variables and parameters --- # CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow The CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow lets users view and manage the devices associated with their account. ## Purpose The CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow verifies the user's session or lets the user sign on using the **CIAM Plus With Protect - SignOn - Subflow** and performs a threat assessment using the **CIAM Plus With Protect - Threat Detection - Subflow**. It presents users with their current multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* devices, then presents the options for users to add new devices, change the name or status of existing devices, or remove an existing device. ## Structure This flow is divided into sections using teleport nodes: * **Flow Configuration** Uses function nodes to set variables. Then, if agreement is required, but no agreement ID is present, the flow progresses to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. * **Check Session, Call To Protect Analysis & MFA Step-Up** Uses a PingOne node to check for a valid session: * If a session exists, a hidden HTML node captures risk information, then a PingOne node gathers additional information. The flow then progresses to the **Threat Detection & Mitigation** section. When this section completes, the flow progresses to the **MFA Authentication** section. When this section completes, the flow progresses to the **Display User Devices** section. * If no session exists, a PingOne node deletes any existing session token, then the **CIAM Plus With Protect - SignOn - Subflow** is invoked. When the flow completes, a PingOne node creates or updates the session while a loading screen is displayed for the user. A PingOne node retrieves user information, then the flow progresses to the **MFA Authentication** section. When this section completes, the flow progresses to the **Display User Devices** section. * **Threat Detection & Mitigation** Invokes the **CIAM Plus With Protect - Threat Detection - Subflow**. If the **CIAM Plus With Protect - Threat Detection - Subflow** completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level: * If the risk level is low, the flow returns to the previous section. * If the risk level is medium, the flow progresses to the **MFA Authentication** section. The flow then returns to the previous section. * If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the **Return Error** section. If the **CIAM Plus With Protect - Threat Detection - Subflow** completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the **Return Error** section. * **MFA Authentication** Uses a function node to check if MFA is enabled. If MFA is enabled, the flow uses a PingOne node to retrieve the user's devices, then uses a hidden HTML node to check for WebAuthn compatibility. Function nodes check if the user has at least one active device: * If the user has at least one active device, the **CIAM Plus With Protect - Device Authentication - Subflow** is invoked, a function node stores the authentication method as a variable, and the flow then returns to the previous section. * If the user has no active devices, the flow progresses to the **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** section. If MFA is not enabled, an HTML node provides the user with the option to enable MFA. If the user enables MFA, a PingOne node enables MFA and the flow returns to the beginning of the section. * **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** A comparison node checks whether email verification is required. If email verification is not required, invokes the **CIAM Plus With Protect - Device Registration - Subflow**, then a function node evaluates the device registration result: * If the device registration was completed, the authentication method is stored as a variable, and the flow returns to the **MFA Authentication** section. * If the device registration was skipped, the flow returns to the **MFA Authentication** section. If email verification is required, invokes the **CIAM Plus With Protect - Verify Email - Subflow**, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node stores the user's authentication method as a variable, and the flow returns to the **MFA Authentication** section. * **Display User Devices** Uses a PingOne node to retrieve the user's known devices. If the user can add devices, a custom HTML template presents the user with device options. If the user selects **Add**, the flow progresses to the **Add Device** section. If the user selects **Done** or **Cancel**, the flow progresses to the **Return Success** section. If the user selects an existing device, the flow progresses to the **Update Device** section. * **Add Device** Invokes the **CIAM Plus With Protect - Device Registration - Subflow** flow. It then progresses to the **Display User Devices** section if the addition was successful or canceled. * **Update Device** Presents users with a custom HTML page showing options for a currently selected device. The **Save** and **Default** options trigger PingOne to save a new device name or set the current device as default. The **Remove** option triggers an HTML node that asks the user to confirm the deletion. If the user confirms the deletion, a PingOne node removes the current device, then the flow progresses to the **Display User Devices** section. If the user cancels, the flow progresses to the **Display User Devices** section. * **Return Success** Sends a JSON success message. * **Return Error** Displays an error message, then sends a JSON error response. ## Input schema This flow has the following inputs: | Input Name | Description | | ---------------- | ---------------------------------------------------------------- | | `flowParameters` | Parameters passed in when the flow is launched using the widget. | ## Output schema This flow has the following outputs: | Output Name | Description | | -------------- | ---------------------------------------------------- | | `flowResult` | The result status of the flow. | | `p1UserId` | The user's PingOne user ID. | | `errorMessage` | The error message to display in the parent flow. | | `errorDetails` | The details of the error that occurred in this flow. | ## Variables and parameters This flow uses the following variable or parameter values: | Variable name | Parameter name | Description | | ---------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ciam_logoStyle` | None | The HTML style to use for your company logo. | | `ciam_logoUrl` | None | The URL for your company logo. | | `ciam_companyName` | None | Displays the name of your company. | | `ciam_magicLinkEnabled` | `isEmailMagicLinkEnabled` | Indicates whether magic link is enabled in your environment. | | `ciam_agreementEnabled` | `isTermsOfServiceEnabled` | A boolean indicating whether agreement is enabled in your environment. | | `ciam_requireMFA` | None | A boolean that controls whether MFA is required for all users. | | `ciam_resendOtpLimit` | None | The maximum number of times a user can resend a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)*. | | `ciam_verificationLimit` | None | The maximum number of times a user can attempt to verify their email address. | | `ciam_sessionLengthInMinute` | None | The maximum allowed session length for a user in the flow. | | `ciam_otpFallbackAllowed` | None | A boolean indicating whether a user can fall back to an OTP if a mobile push request times out. | | `p1AgreementId` | None | The ID of the PingOne agreement to present to users. | | `p1RiskPolicyIdAuthn` | None | The PingOne risk policy ID to use for authentication. | | `protectRiskEvalId` | None | The risk evaluation ID returned by PingOne Protect. | | `p1RiskPolicyIdReg` | None | The PingOne risk policy ID to use for registration. | | `p1RiskPolicyIdAR` | None | The PingOne risk policy ID to use for account recovery. | | `flowCompanyLogo` | None | The company logo to use during the flow. | | `p1MFAPolicyId` | None | The PingOne MFA policy ID. | | `p1RiskPolicyIdAuthZ` | None | The PingOne risk policy ID to use for authorization. | | `authMethod` | None | The authentication method used by the user. |