PingOne

Adding an MFA policy

Create a multi-factor authentication (MFA) policy and then add it as a step to your authentication policy.

Before you begin

  • To add a mobile application authentication method, first add the application. For information, see Adding an application.

  • If you want to add FIDO2 as an authentication method, PingOne provides two out-of-the-box enhanced Fast IDentity Online (FIDO) policies. If you want to modify them or create your own custom FIDO policy, you’ll need to do that before you start. Learn more in FIDO policies.

About this task

To create an MFA policy, configure the relevant settings for the authentication methods that you want to enable.

Steps

  1. Go to Authentication → MFA.

  2. On the MFA Policies page, click the icon.

  3. In the Name field, enter a meaningful name for the policy.

    There is a maximum of 256 characters.

  4. In the Method Selection list, for users with more than one paired device, define which device is presented to the user for authentication. Select one.

    Choose from:

    • User selected default: Allow the user to authenticate with the device they selected as their default device.

    • Prompt user to select: If more than one method is available, when prompted to authenticate, the user is prompted to choose a device from the authentication methods they have paired to their account. Only authentication methods permitted by the relevant authentication policy are shown.

    • Always display devices: Even if the user has only one permitted authentication method paired with their account, the user is prompted to select an authentication method.

      The Method Selection setting is not applied if you have enabled device authorization and the user is accessing an application from a trusted mobile device. It is also not applied if the user is trying to access the application with a browser that they have used for FIDO2 authentication in the past. In such cases, FIDO2 is used.

  5. In the Send notification when new device paired list, select how the user should be notified when a new device has been added to their account.

    Choose from:

    • No notification: User should not be notified

    • By email, else SMS: By email (or by SMS if no email address available in the user profile)

    • By SMS, else email: By SMS (or by email if no phone number available in the user profile)

  6. To add a mobile application as an authentication method, in the Allowed Authentication Methods section, select the Mobile Applications check box, and then configure the following:

    1. Passcode Failure Limit: Define the maximum number of times that a one-time passcode (OTP) entry can fail.

    2. Lock Duration: Set the amount of time that the authentication method is locked if the Passcode Failure Limit is exceeded. Accepted values range from 2 mins - 30 mins.

    3. Rename device during pairing: Select the checkbox to allow users to define a device nickname during the pairing flow.

    4. Add Applications: To add an application, click Add Applications, select the name of the mobile application to use (from among those you have defined for the environment), and click Save.

    5. Define the following fields for the application:

      • OTP & Push: The mechanism that should be used to allow the user to authenticate.

        Choose from:

        • Push: use only the standard push mechanism.

        • OTP: use only OTPs.

        • Push & OTP: use the standard push mechanism and allow OTP as a backup mechanism.

      • Push Notification Timeout: The amount of time that a user has to respond to a push notification before it expires.

      • Allow Pairing: To prevent new users from pairing their device with this authentication method, clear the checkbox.

      • Device Integrity: Define how authentication and registration attempts should proceed in the event that a device integrity check yields inconclusive results. Select Permissive if you want to allow the process to continue. Select Restrictive if you want to block the user in such situations.

        The Permissive/Restrictive buttons are displayed only if device integrity checking has been enabled for the application on the Authenticator tab of the Applications definition page.

      • Auto Enrollment: Auto Enrollment means that the user can authenticate from an unpaired device, and the successful authentication results in the pairing of the device for MFA. To enable, select the check box.

        If you want to allow automatic enrollment even if the user does not have any existing paired devices, go to the authentication policy that you created, and in the MFA step, verify that the NONE OR INCOMPATIBLE METHODS setting is set to Bypass. For details, see Editing an authentication policy.

      • Device Authorization: When enabled, the trusted device handles the authentication automatically, and no user involvement is required. This automatic mechanism is used only if the user is requesting access from the same device. To enable, select the check box.

        If you are enabling Device Authorization, choose one of the following options for Extra Verification:

        • Disabled: Do not use an extra verification step.

        • Permissive: A push is sent to the device to be handled automatically. If the push is not received, access is granted nonetheless.

        • Restrictive: A push is sent to the device to be handled automatically. If the push is not received, access is not granted.

        For more information on Device Authorization, see Introduction to PingOne MFA.

      • Pairing Key Lifetime: Indicate how much time an issued pairing key can be used until it expires.

      • Limit Push Notifications: The purpose of this feature is to help you prevent attacks based on repeated push notifications that lead users to eventually accept the request. Define the number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for the application:

        • Push Limit: The number of notifications that can be declined or ignored (1-50).

        • Time Period: Time period during which the notifications are counted towards the limit(1-120 secs/mins).

        • Lock Duration: Duration for which the device is blocked (1-120 secs/mins).

  7. To add Authenticator App, Email, SMS, or Voice as an authentication method, in the Allowed Authentication Methods section, select the relevant check box, and then define the following for each method that you want to add:

    • Passcode Failure Limit: Define the maximum number of times that OTP entry can fail (1-7).

      In authentication flows that implement "onetime authentication" with thePingOne MFA API, users are not blocked after passcode failure even if you specify a blocking period in the MFA policy.

    • Lock Duration: The amount of time this authentication method is locked if the Passcode Failure Limit is exceeded (2 sec - 30 mins).

    • Passcode Lifetime (Email, SMS, and voice only): The amount of time the passcode is valid before it expires (max. 30 mins).

      For the Authenticator App (TOTP) method, passcodes are valid for 30 seconds (refresh duration). However, to cover time synchronization issues, there is a grace period of 8 times the refresh duration in each direction. So taking the grace period into account, the passcode is valid for the base 30 seconds plus 8x30 = 240 seconds behind the time of issue and 240 seconds past the expiration time.

    • Allow Pairing: To prevent new users from pairing their device with this authentication method, clear the check box.

    • Rename device during pairing: Select the checkbox to allow users to define a device nickname during the pairing flow.

    • Show application name (authenticator app (TOTP) only): To help users recognize which application the OTP displayed in their authenticator app is for, select this option and provide the text that should be displayed alongside the OTP. If you’re using the same MFA policy for multiple applications, use a name that reflects the group of applications.

      If you provide an application name, remember that users see the name that was in the MFA policy when they paired their device. If you subsequently update the application name in the MFA policy, the new name will be seen only by users who paired their device after the change was made.

  8. To add FIDO2 as an authentication method:

    • In the Allowed Authentication Methods section, select FIDO2 and in the FIDO Policy field, select the FIDO policy that you want to apply, or select Use the default policy to use the default FIDO policy.

    • Allow Pairing: To prevent new users from pairing their device with this authentication method, clear the check box.

    • Rename device during pairing: Select the checkbox to allow users to define a nickname for the device during the pairing flow.

    For information about defining a FIDO policy, see FIDO policies.

    If you are editing an existing MFA policy that is using a deprecated FIDO Biometrics or Security Key authentication method, you’ll need to replace it with the FIDO2 authentication method and reference an enhanced FIDO policy. For information, see Updating an existing MFA policy to use FIDO2.

  9. Click Save.

    Result:

    The policy is added to the Policy list.

    In the Policy list, click a policy to see a summary of the policy details in the right pane or edit an existing policy.

Next steps

Add the MFA policy to the MFA step in the relevant Authentication policy. Learn more in Adding a multi-factor authentication step.