--- title: Adding an authentication policy description: You can add one or more authentication policies in PingOne. component: pingone page_id: pingone:authentication:p1_add_an_auth_policy canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_add_an_auth_policy.html revdate: January 7, 2025 section_ids: steps: Steps --- # Adding an authentication policy You can add one or more authentication policies. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The first step in a policy can't have population or user attribute conditions. Additionally, if the second step in a two-step policy has conditions set, and you delete the first step so that the second step becomes the first, those conditions will be removed. | ## Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy**. 3. Enter a policy name. 4. In the **Step Type** list, select the protocol for the first step: | Step Type | Description | | --------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Login** | Requires only one piece of evidence to verify a user's identity, such as a username and password.Learn more in [Adding a login authentication step](p1_add_login_auth_step.html). | | **Identifier First** | Allows you to identify users before you authenticate them.Learn more in [Adding an identifier first authentication step](p1_add_identifier_first_auth.html). | | **Multi-factor Authentication** (Customer only) or **PingID Authentication** (Workforce only) | Requires two pieces of evidence to verify a user's identity, such as a username and password as well as a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)*.You can also use multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* to set up passwordless authentication.Learn more in [Adding a multi-factor authentication or PingID step](p1_add_mfa_step.html) and [Setting up passwordless authentication](p1_set_up_paswordless_auth.html). | | **External Identity Provider** | Allows end users to access your applications by authenticating with the external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*.Learn more in [Adding an external identity provider sign-on step](p1_add_idp_signon_step.html). | 5. (Optional) Click **[icon: plus, set=fa]Add step** to add another step to the authentication policy. You can add any of the step types described previously as well as the following step types that can't be used for the first step in an authentication policy: | Step Type | Description | | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Progressive Profiling** | Allows you to prompt a user for information to be added to their profile after the initial registration step. For example, you could prompt users to add their mobile phone number the next time they sign on. Learn more in [Progressive profiling](p1_progressive_profiling.html) and [Adding a progressive profiling step](p1_add_progressive_profiling.html). | | **Agreement Prompt** | Requires end users to consent to a terms of service agreement as part of a sign-on policy.Learn more in [Agreements](../user_experience/p1_agreements.html). | 6. Continue adding steps as needed for your authentication policy. 7. Click **Save**.