PingOne

Adding a multi-factor authentication or PingID step

A multi-factor authentication (MFA) policy requires two pieces of evidence to verify a user’s identity, such as a username and password as well as a one-time passcode (OTP) sent over SMS, voice, or email, or a push notification sent to the user’s mobile device. You can also use MFA to set up passwordless authentication. Learn more in Setting up passwordless authentication.

Steps

  1. In the PingOne admin console, go to Authentication > Authentication.

  2. Click Add Policy to create a new policy, or click the Pencil icon () to edit an existing one.

  3. Click Add step.

  4. In the Step Type list, select either:

    • (Customer only) Multi-Factor Authentication

    • (Workforce only) PingID Authentication

  5. (Customer only) In the MFA Policy list, select an MFA policy that has been defined for the environment. Learn more about defining MFA policies in MFA policies.

  6. (Customer only) In the None or incompatible methods section:

    For MFA scenarios in which users attempt to sign on but don’t have any enrolled MFA devices that comply with the permitted Available Methods, select a flow:

    • Block: Do not permit these users to sign on because they don’t have a usable device for MFA.

    • Bypass: Allow users without a usable MFA device to bypass the MFA flow.

      To leverage the Bypass option, the user must already be authenticated, either by a password (login step) or by supplying a signed login_hint_token in the request object. Learn more about login_hint_token in the GET Authorize (Browserless and MFA Only Flows) operation in the PingOne Platform API Reference.

  7. (Customer only) Enter or edit the requirement conditions. If one or more of the following conditions are met, the user will be prompted to use a two-step authentication method.

    • Last sign-on older than: Requires users to sign on if their previous sign-on is older than the configured value.

    • Accessing from IP out of range: Requires users to sign on if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range.

    • Being a member of any of these populations: Requires users to sign on if the user belongs to the specified population or populations.

    • User attributes: Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the checkbox, then click Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR).

    • IP reputation is high risk: PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. An IP address is considered high risk if it might have recently been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores.

      The IP reputation option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license.

    • A geovelocity anomaly is detected: PingOne analyzes location data from the user’s accessing device. It determines whether travel time between a user’s current sign-on location and their previous sign-on location is possible in the time frame that has elapsed since the previous sign-on. Select the checkbox to require MFA when a geovelocity anomaly is detected.

      The Geovelocity anomaly option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license.

    • Anonymous network detection: PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network such as an unknown VPN, proxy, or an anonymous communication tool such as Tor. Exclude IP addresses in the Whitelist by entering them in CIDR notation in a comma-separated list.

      The Anonymous network detection option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license.

  8. Click Save.