PingOne

Editing an authentication policy

Use the Policies page to modify existing authentication policies in PingOne.

Editing a single-factor authentication policy

A single-factor authentication policy requires only one piece of evidence to verify a user’s identity, such as a username and password.

  1. Go to Authentication > Authentication.

  2. For Single_Factor, click the Details icon to expand the policy and then click the Pencil icon.

  3. Enter or edit the Login settings:

    • Enable account recovery: In case of a forgotten password, users can recover their accounts with a one-time passcode (OTP) sent through SMS, voice, or email.

    • Enable registration: Users can register their own accounts whether or not a user record already exists. Select PingOne to provision users to the PingOne user store or External Link to provision users to an external user store. PingOne directs users to the Registration Target URL for registration, but PingOne is still used for authentication.

    • Last sign-on older than: Requires users to sign on again if their previous sign-on is older than the configured value.

      The PingOne admin console always uses the default authentication policy. If the Last sign-on older than option is set to a value less than 8 hours, the administrator only has to reauthenticate if they’ve been idle for more than 30 minutes during the duration specified in Last sign-on older than. If the administrator is active in the console, the session refreshes, and they won’t have to reauthenticate.

  4. Enter or edit an external identity provider (IdP):

  5. To prevent users from signing on if their PingOne user account is locked, select Block authentication of locked user accounts from Presented Identity Providers. If you leave this option cleared, users can sign on with their configured IdP credentials but not their PingOne credentials.

  6. Click Save.

Editing a multi-factor authentication policy

A multi-factor authentication (MFA) policy requires two pieces of evidence to verify a user’s identity, such as a username and password and a push notification to the user’s mobile device or an OTP sent through SMS, voice, or email.

The first step in a policy can’t have population or user attribute conditions. Additionally, if the second step in a two-step policy has conditions set, and you delete the first step so that the second step becomes first, those conditions are removed.

  1. Go to Authentication > Authentication.

  2. For Multi_Factor, click the Details icon to expand the policy and then click the Pencil icon.

  3. Enter or edit the Login settings:

    • Enable account recovery: In case of a forgotten password, users can recover their accounts with an OTP sent through SMS, voice, or email.

    • Enable registration: Users can register their own accounts whether or not a user record already exists. Select PingOne to provision users to the PingOne user store or External Link to provision users to an external user store. PingOne directs users to the Registration Target URL for registration but PingOne is still used for authentication.

    • Population: If registration is enabled, select the population to which the end user will be added.

    • Require confirmation of user information: If registration is enabled, end users must confirm the data linked with the third-party IdP. The end user can edit the information that the third-party IdP shares with PingOne, such as username, email address, first name, and last name.

    • Last sign-on older than: Requires users to sign on again if their previous sign-on is older than the configured value.

  4. In the MFA Policy list, select an MFA policy. Learn more in MFA policies.

  5. For None or incompatible methods, choose the MFA flow to use for MFA scenarios when users attempt to sign on but don’t have any enrolled MFA devices that comply with the permitted Available Methods:

    • Block: Don’t permit these users to sign on because they don’t have a usable device for MFA.

    • Bypass: Allow users without a usable MFA device to bypass the MFA flow.

      To leverage the Bypass option, the user must already be authenticated by a password (Login step) or by supplying a signed login_hint_token in the request object. Learn more about login_hint_token in the GET Authorize (Browserless and MFA Only Flows) operation in the PingOne Platform API Reference.

  6. Enter or edit the MFA conditions. If one or more of the following conditions are met, the user is prompted to use a 2-step authentication method:

    • Last sign-on older than: The previous sign-on is older than the configured value.

    • Accessing from IP out of range: The request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range.

    • Being a member of any of these populations: The user belongs to the specified population or populations.

    • User Attributes: Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the checkbox and enter the attribute and the appropriate value. To add additional attributes, click Add attribute. If you have multiple attribute conditions, the policy evaluates to true if any of the conditions are met (Boolean OR).

    • IP reputation is high risk: PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. An IP address is considered high risk if it could have recently been involved in malicious activities, such as DDoS attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores.

      The IP reputation option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.

    • A geovelocity anomaly is detected. PingOne analyzes location data from the user’s accessing device. It determines whether travel time between a user’s current sign-on location and their previous sign-on location is possible in the time frame that has elapsed since the previous sign-on. Select the checkbox to require MFA when a geovelocity anomaly is detected.

      The Geovelocity anomaly option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.

    • Anonymous network detection: PingOne collects and analyzes IP address data of authentication requests from the user’s accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network, such as an unknown VPN, proxy, or an anonymous communication tool (for example, Tor). Exclude IP addresses in the Whitelist by entering them in CIDR notation in a comma-separated list.

      The Anonymous network detection option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.

  7. Click Save.

Next steps

You can add more steps to the authentication policy. Click Add step, select the step type, and enter the values for the selected type.

Learn more in: