Editing an authentication policy

Use the Policies page to modify existing authentication policies in PingOne.

Editing a single-factor authentication policy

A single-factor authentication policy requires only one piece of evidence to verify a user’s identity, such as a user name and password.

Go to Authentication > Authentication.
Under Single-Factor, click the details icon to expand the policy, and then click the Pencil icon.
Enter or edit the login settings.
- Enable account recovery. In case of a forgotten password, users can recover their accounts with a one-time passcode sent over SMS, voice, or email.
- Enable registration. Users can register their own accounts if a user record already exists. Select PingOne Directory to provision users to the PingOne user store. Select External Link to provision users to an external user store. PingOne will direct users to the Registration Target URL for registration, but PingOne will still be used for authentication.

Enter or edit the login conditions.

Last sign-on older than. Requires users to log in again if their previous login is older than the configured value.

The PingOne admin console always uses the default authentication policy. If the Last sign-on older than option is set to a value less than 8 hours, the admin user will have to re-authenticate only if they have been idle for more than 30 minutes during the duration specified in Last sign-on older than. If the admin user is active in the console, the session will be refreshed and they won’t have to re-authenticate.

Enter or edit an external identity provider. Click Add Provider and then select an identity provider from the list. If an identity provider does not appear on the list, it may not be enabled. See Enabling or disabling an identity provider.
To prevent users from signing in if their PingOne user account is locked, select Block authentication of locked user accounts from Presented Identity Providers. If you leave this option cleared, then users can sign on with their configured identity provider credentials, but not their PingOne credentials.
Click Save.

Editing a multi-factor authentication policy

A multi-factor authentication policy requires two pieces of evidence to verify a user’s identity, such as a user name and password as well as a one-time passcode sent over SMS, voice or email, or a push notification to the user’s mobile device.

Go to Authentication > Authentication.
Under Multi-Factor, click the details icon to expand the policy, and then click the Pencil icon.
Enter or edit the login settings:
- Enable account recovery. In case of a forgotten password, users can recover their accounts with a one-time passcode sent over SMS, voice, or email.
- Enable registration. Users can register their own accounts if a user record already exists. Select PingOne Directory to provision users to the PingOne user store. Select External Link to provision users to an external user store. PingOne will direct users to the Registration Target URL for registration, but PingOne will still be used for authentication.
- Population. If registration is enabled, specify the population that the end user will belong to.
- Require confirmation of user information. If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider. The end user will have an opportunity to edit the information that the third-party identity provider shares with PingOne, such as user name, email address, first name, and last name.
Enter or edit the login conditions:
- Last sign-on older than. Requires users to log in again if their previous login is older than the configured value.
From the MFA Policy list, select an MFA policy that has been defined for the environment. For more information on defining MFA policies, see MFA policies.
Under None or incompatible methods, choose the MFA flow:

For MFA scenarios in which users attempt to sign on, but do not have any enrolled MFA devices that comply with the permitted Available Methods, choose the flow:
- Block: Do not permit these users to sign on, because they don’t have a usable device for MFA.
- Bypass: Allow users without a usable MFA device to bypass the MFA flow.
To leverage the Bypass option, the user must already be authenticated, either by a password (login step), or by supplying a signed login_hint_token in the request object. See login_hint_token in the GET Authorize (Browserless and MFA Only Flows) operation in the PingOne Platform API Reference.

Enter or edit the multi-factor authentication conditions. If one or more of the following conditions are met, the user will be prompted to use a two-step authentication method.

Last sign-on older than. The previous login is older than the configured value.
Accessing from IP out of range. The request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range.
Being a member of any of these populations. The user belongs to the specified population or populations.
User attributes. Requires users to sign in if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the check box, then click Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR).

IP reputation is high risk. PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. An IP address is considered high risk if it may have recently been involved in malicious activities, such as DDoS attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores.

The IP reputation option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the IP reputation feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the IP reputation feature will not be active, and cannot be reactivated with a Premier license.

A geovelocity anomaly is detected. PingOne analyzes location data from the user’s accessing device. It determines whether travel time between a user’s current login location and their previous login location is possible in the time frame that has elapsed since the previous login. Select the checkbox to require MFA when a geovelocity anomaly is detected.

The Geovelocity anomaly option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the Geovelocity anomaly feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the Geovelocity anomaly feature will not be active, and cannot be reactivated with a Premier license.

Anonymous network detection. PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network such as an unknown VPN, proxy, or an anonymous communication tool such as Tor. Exclude IP addresses in the Whitelist by entering them in CIDR notation in a comma-separated list.

The Anonymous network detection option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the Anonymous network detection feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the Anonymous network detection feature will not be active, and cannot be reactivated with a Premier license.

Click Save.

You can add more steps to the authentication policy. Click Add step, select the step type, and enter the values for the selected type.

For more information, see:

The first step in a policy cannot have population or user attribute conditions. Additionally, if the second step in a two-step policy has conditions set, and you delete the first step so that the second step becomes first, those conditions will be removed.