--- title: Editing an authentication policy description: Use the Authentication page to modify existing authentication policies in PingOne. component: pingone page_id: pingone:authentication:p1_edit_auth_policy canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_edit_auth_policy.html section_ids: editing-a-single-factor-authentication-policy: Editing a single-factor authentication policy editing-a-multi-factor-authentication-policy: Editing a multi-factor authentication policy next-steps: Next steps --- # Editing an authentication policy Use the **Authentication** page to modify existing authentication policies in PingOne. ## Editing a single-factor authentication policy A single-factor authentication policy requires only one piece of evidence to verify a user's identity, such as a username and password. 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. For **Single\_Factor**, click the **Details** icon to expand the policy and then click the **Pencil** icon ([icon: pencil, set=fa]). 3. Enter or edit the **Login** settings: | Setting | Description | | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable account recovery** | In case of a forgotten password, users can recover their accounts with a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* sent through email. | | **Enable registration** | Users can register their own accounts whether or not a user record already exists.- Select **PingOne** to provision users to the PingOne user store. - Select **External Link** to provision users to an external user store. PingOne directs users to the **Registration Target URL** for registration, but PingOne is still used for authentication. | | **Last sign-on older than** | Requires users to sign on again if their previous sign-on is older than the configured value. The PingOne admin console uses a system policy that doesn't allow you to change this setting. The administrator must reauthenticate if they've been inactive for more than 30 minutes. If the administrator is active in the console within the 30-minute period, the session refreshes and reauthentication isn't necessary. MFA is required every 12 hours. | 4. Enter or edit an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. Click **[icon: plus, set=fa]Add Provider** and then select an IdP from the list. If an IdP doesn't appear in the list, it might not be enabled. Learn more in [Adding an external identity provider](../integrations/p1_adding_vendor_specific_idps.html). 5. To prevent users from signing on if their PingOne user account is locked, select **Block authentication of locked user accounts from Presented Identity Providers**. If you leave this option cleared, users can sign on with their configured IdP credentials but not their PingOne credentials. 6. Click **Save**. ## Editing a multi-factor authentication policy A multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* policy requires two pieces of evidence to verify a user's identity, such as a username and password and a push notification to the user's mobile device or an OTP sent through SMS, voice, or email. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The first step in a policy can't have population or user attribute conditions. Additionally, if the second step in a two-step policy has conditions set, and you delete the first step so that the second step becomes first, those conditions are removed. | 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. For **Multi\_Factor**, click the **Details** icon to expand the policy and then click [icon: pencil, set=fa]. 3. Enter or edit the **Login** settings: | Setting | Description | | -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable account recovery** | In case of a forgotten password, users can recover their accounts with a OTP *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* sent through email. | | **Enable registration** | Users can register their own accounts whether or not a user record already exists.- Select **PingOne** to provision users to the PingOne user store. - Select **External Link** to provision users to an external user store. PingOne directs users to the **Registration Target URL** for registration, but PingOne is still used for authentication. | | **Population** | If registration is enabled, select the population to which the end user will be added. | | **Require confirmation of user information** | If registration is enabled, requires end users to confirm the data that is linked with the third-party IdP *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. The end user will have an opportunity to edit the information that the third-party IdP shares with PingOne, such as username, email address, first name, and last name. | | **Last sign-on older than** | Requires users to sign on again if their previous sign-on is older than the configured value. | 4. In the **MFA Policy** list, select an MFA policy. Learn more in [MFA policies](p1_mfa_policies.html). 5. For **None or incompatible methods**, choose the MFA flow to use for MFA scenarios when users attempt to sign on but don't have any enrolled MFA devices that comply with the permitted **Available Methods**: * **Block**: Don't permit these users to sign on because they don't have a usable device for MFA. * **Bypass**: Allow users without a usable MFA device to bypass the MFA flow. To leverage the **Bypass** option, the user must already be authenticated by a password (**Login** step) or by supplying a signed `login_hint_token` in the request object. Learn more about `login_hint_token` in the [GET Authorize (Non-redirect and MFA Only Flows)](https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/authorize-browserless-and-mfa-only-flows.html) operation in the PingOne Platform API Reference. 6. Enter or edit the MFA conditions. If one or more of the following conditions are met, the user is prompted to use a two-step authentication method: * **Last sign-on older than**: The previous sign-on is older than the configured value. * **Accessing from IP out of range**: The request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range. * **Being a member of any of these populations**: The user belongs to the specified population or populations. * **User Attributes**: Requires users to sign on if they match a specified user attribute, such as postal code or user ID. For example, `Postal Code = 78750`. Select the checkbox and enter the attribute and the appropriate value. To add additional attributes, click **[icon: plus, set=fa]Add attribute**. If you have multiple attribute conditions, the policy evaluates to true if any of the conditions are met (Boolean OR). * **IP reputation is high risk**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. An IP address is considered high risk if it could have recently been involved in malicious activities, such as DDoS attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------- | | | The **IP reputation** option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license. | * **A geovelocity anomaly is detected**. PingOne analyzes location data from the user's accessing device. It determines whether travel time between a user's current sign-on location and their previous sign-on location is possible in the time frame that has elapsed since the previous sign-on. Select the checkbox to require MFA when a geovelocity anomaly is detected. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Geovelocity anomaly** option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license. | * **Anonymous network detection**: PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network, such as an unknown VPN, proxy, or an anonymous communication tool (for example, Tor). Exclude IP addresses in the **Whitelist** by entering them in CIDR notation in a comma-separated list. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Anonymous network detection** option is a feature available only with a PingOne Protect or PingOne for Customers Passwordless license. | 7. Click **Save**. ## Next steps You can add more steps to the authentication policy. Click **[icon: plus, set=fa]Add step**, select the step type, and enter the values for the selected type. Learn more in: * [Adding a login authentication step](p1_add_login_auth_step.html) * [Adding a multi-factor authentication or PingID step](p1_add_mfa_step.html) * [Adding an identifier first authentication step](p1_add_identifier_first_auth.html) * [Adding a progressive profiling step](p1_add_progressive_profiling.html) * [Adding a terms of service agreement prompt](p1_add_agreement_prompt.html) * [Adding an external identity provider sign-on step](p1_add_idp_signon_step.html)