--- title: Adding a multi-factor authentication or PingID step description: Add an MFA or PingID step to a PingOne authentication policy. component: pingone page_id: pingone:authentication:p1_add_mfa_step canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_add_mfa_step.html revdate: September 2, 2024 section_ids: steps: Steps steps-2: Steps --- # Adding a multi-factor authentication or PingID step A multi-factor authentication (MFA) policy requires two pieces of evidence to verify a user's identity, such as a username and password, as well as MFA authentication methods, such as a passkey, a push notification sent to the user's mobile device, or a one-time passcode (OTP) sent over SMS, voice, or email. You can also use MFA to set up passwordless authentication. Learn more in [Setting up passwordless authentication](p1_set_up_paswordless_auth.html). Follow the relevant instructions depending on the geography in which your environment is located. * In the Singapore geography, all steps apply to both [Customer and Workforce](../strong_authentication_mfa/p1_pid_what_is_the_difference.html) environments. * In all other geographies, some steps differ depending on whether the environment is for Customer or Workforce users. - All other regions - Singapore ### Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy** to create a new policy, or click the **Pencil** icon ([icon: pencil, set=fa]) to edit an existing one. 3. Click **[icon: plus, set=fa]Add step**. 4. In the **Step Type** list, select either: * (Customer only) **Multi-Factor Authentication** * (Workforce only) **PingID Authentication** 5. (Customer only) In the **MFA Policy** list, select an MFA policy that has been defined for the environment. Learn more about defining MFA policies in [MFA policies](p1_mfa_policies.html). 6. (Customer only) In the **None or incompatible methods** section: For MFA scenarios in which users attempt to sign on but don't have any enrolled MFA devices that comply with the permitted **Available Methods**, select a flow: * **Block**: Do not permit these users to sign on because they don't have a usable device for MFA. * **Bypass**: Allow users without a usable MFA device to bypass the MFA flow. To leverage the **Bypass** option, the user must already be authenticated, either by a password (login step) or by supplying a signed `login_hint_token` in the request object. Learn more about `login_hint_token` in the [GET Authorize (Non-redirect and MFA Only Flows)](https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/authorize-browserless-and-mfa-only-flows.html) operation in the PingOne API documentation. 7. (Customer only) Enter or edit the requirement conditions. If one or more of the following conditions are met, the user is prompted to use a two-step authentication method. * **Last sign-on older than**: Requires users to sign on if their previous sign-on is older than the configured value. * **Accessing from IP out of range**: Requires users to sign on if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range. * **Being a member of any of these populations**: Requires users to sign on if the user belongs to the specified population or populations. * **User attributes**: Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, `Postal Code = 78750`. Select the checkbox, then click **[icon: plus, set=fa]Add attribute**. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR). * **IP reputation is high risk**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. An IP address is considered high risk if it might have recently been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | The **IP reputation** option is available only with a PingOne Protect or PingOne for Customers Passwordless license. | * **A geovelocity anomaly is detected**: PingOne analyzes location data from the user's accessing device. It determines whether travel time between a user's current sign-on location and their previous sign-on location is possible in the time frame that has elapsed since the previous sign-on. Select the checkbox to require MFA when a geovelocity anomaly is detected. | | | | - | -------------------------------------------------------------------------------------------------------------------------- | | | The **Geovelocity anomaly** option is only available with a PingOne Protect or PingOne for Customers Passwordless license. | * **Anonymous network detection**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network such as an unknown VPN, proxy, or an anonymous communication tool such as Tor. Exclude IP addresses in the **Whitelist** by entering them in CIDR notation in a comma-separated list. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------- | | | The **Anonymous network detection** option is only available with a PingOne Protect or PingOne for Customers Passwordless license. | 8. Click **Save**. ### Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add Policy** to create a new policy, or click the **Pencil** icon ([icon: pencil, set=fa]) to edit an existing one. 3. Click **[icon: plus, set=fa]Add step**. 4. In the **Step Type** list, select **Multi-Factor Authentication** 5. In the **MFA Policy** list, select an MFA policy that's been defined for the environment. Learn more about defining MFA policies in [MFA policies](p1_mfa_policies.html). 6. In the **None or incompatible methods** section: For MFA scenarios in which users attempt to sign on but don't have any enrolled MFA devices that comply with the permitted **Available Methods**, select a flow: * **Block**: Do not permit these users to sign on because they don't have a usable device for MFA. * **Bypass**: Allow users without a usable MFA device to bypass the MFA flow. To leverage the **Bypass** option, the user must already be authenticated, either by a password (login step) or by supplying a signed `login_hint_token` in the request object. Learn more about `login_hint_token` in the [GET Authorize (Non-redirect and MFA Only Flows)](https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/authorize-browserless-and-mfa-only-flows.html) operation in the PingOne Platform API Reference. 7. Enter or edit the requirement conditions. If one or more of the following conditions are met, the user is prompted to use a two-step authentication method: * **Last sign-on older than**: Requires users to sign on if their previous sign-on is older than the configured value. * **Accessing from IP out of range**: Requires users to sign on if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range. * **Being a member of any of these populations**: Requires users to sign on if the user belongs to the specified population or populations. * **User attributes**: Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, `Postal Code = 78750`. Select the checkbox, then click **[icon: plus, set=fa]Add attribute**. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR). * **IP reputation is high risk**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. An IP address is considered high risk if it might have recently been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | The **IP reputation** option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license. | * **A geovelocity anomaly is detected**: PingOne analyzes location data from the user's accessing device. It determines whether travel time between a user's current sign-on location and their previous sign-on location is possible in the time frame that has elapsed since the previous sign-on. Select the checkbox to require MFA when a geovelocity anomaly is detected. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------ | | | The **Geovelocity anomaly** option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license. | * **Anonymous network detection**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network such as an unknown VPN, proxy, or an anonymous communication tool such as Tor. Exclude IP addresses in the **Whitelist** by entering them in CIDR notation in a comma-separated list. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------- | | | The **Anonymous network detection** option is available only with a PingOne Protect or PingOne for Customers Passwordless license. | 8. Click **Save**.