--- title: Adding an identifier first authentication step description: Add an identifier first authentication as part of an authentication policy in PingOne. component: pingone page_id: pingone:authentication:p1_add_identifier_first_auth canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_add_identifier_first_auth.html revdate: June 9, 2025 section_ids: steps: Steps related-links: Related links --- # Adding an identifier first authentication step To use identifier first authentication, add it as part of an authentication policy. ## Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy** to create a new policy, or click the **Pencil** icon ([icon: pencil, set=fa]) to edit an existing one. 3. Click **[icon: plus, set=fa]Add step**. 4. In the **Step Type** list, select **Identifier First**. 5. Enter or edit the recovery and registration settings: | Setting | Description | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable account recovery** | In case of a forgotten password, users can recover their accounts with a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* sent through email. | | **Enable registration** | Users can register their own accounts whether or not a user record already exists.- Select **PingOne** to provision users to the PingOne user store. - Select **External Link** to provision users to an external user store. PingOne directs users to the **Registration Target URL** for registration, but PingOne is still used for authentication. | | **Require confirmation of user information** | If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as username, email address, first name, and last name. | | **Discovery rules** | Click **[icon: plus, set=fa]Add Rule** to add a rule, or **Edit Rules** to modify an existing rule and complete the following fields:- **Username Contains**: Enter a domain name to be evaluated by this rule. The rule will evaluate to true if the string contains any part of the provided value. For increased security, be specific and enter multiple canonical domains, such as @marketing.example.com and @payroll.example.com. To add fewer entries, you could just enter example.com, and the rule would pick up both @marketing.example.com and @payroll.example.com, but that configuration might match users at unintended hosts. - **Identity Provider**: Select the IdP to use for authentication if the rule is matched. Discovery rules are evaluated in the order they appear in the list. Users that don't match a discovery rule are authenticated against PingOne. | 6. Enter or edit the requirement conditions. If this condition is met, the user will be required to sign on: * **Last sign-on older than** Requires users to sign on if their previous sign-on is older than the configured value. * **User attributes** Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, `Postal Code = 78750`. Select the checkbox, then click **[icon: plus, set=fa]Add attribute**. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy evaluates to true if any of the conditions are met (Boolean OR). 7. Enter or edit an external IdP. Click **[icon: plus, set=fa]Add Provider** and then select an identity provider in the list. If an IdP doesn't appear in the list, the IdP might not be enabled. Learn more in [Adding an external identity provider](../integrations/p1_adding_vendor_specific_idps.html). 8. To prevent users from signing on if their PingOne user account is locked, select **Block authentication of locked user accounts from Presented Identity Providers**. If this option is cleared, users can sign on with their configured IdP credentials, but not their PingOne credentials. 9. Click **Save**. ## Related links * [Identifier first authentication](p1_idp_first_auth.html) * [Progressive profiling](p1_progressive_profiling.html)