--- title: Adding a login authentication step description: "A single-factor authentication step in PingOne requires only one piece of evidence to verify a user's identity." component: pingone page_id: pingone:authentication:p1_add_login_auth_step canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_add_login_auth_step.html revdate: April 24, 2025 section_ids: steps: Steps --- # Adding a login authentication step A single-factor authentication step requires only one piece of evidence to verify a user's identity, such as a username and password. ## Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy** to create a new policy, or click the **Pencil** icon ([icon: pencil, set=fa]) to edit an existing one. 3. Click **[icon: plus, set=fa]Add Step**. 4. In the **Step Type** list, select **Login**. 5. Enter or edit the recovery and registration settings. | Setting | Description | | -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable account recovery** | In case of a forgotten password, users can recover their accounts with a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* sent through email. | | **Enable registration** | Users can register their own accounts whether or not a user record already exists.- Select **PingOne** to provision users to the PingOne user store. - Select **External Link** to provision users to an external user store. PingOne directs users to the **Registration Target URL** for registration, but PingOne is still used for authentication. | | **Require confirmation of user information** | If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as username, email address, first name, and last name. | 6. Enter or edit the requirement conditions. If this condition is met, the user will be required to sign on. * **Last sign-on older than**: Requires users to sign on again if their previous sign-on is older than the configured value. 7. Enter or edit an external IdP. Click **[icon: plus, set=fa]Add Provider** and then select an IdP in the list. If an IdP doesn't appear in the list, the IdP might not be enabled. Learn more in [Adding an external identity provider](../integrations/p1_adding_vendor_specific_idps.html). 8. To prevent users from signing on if their PingOne user account is locked, select **Block authentication of locked user accounts from Presented Identity Providers**. If this option is cleared, users can sign on with their configured IdP credentials, but not their PingOne credentials. 9. Click **Save**.