PingOne

Managing a user’s MFA service and methods

In environments that use multi-factor authentication (MFA), you can manage a user’s MFA service and methods from the Services > Authentication tab of the user record.

You can remove a method, enable or disable a method, and bypass an authentication service. For example, you can bypass secondary authentication for a specified amount of time if a user loses or damages the MFA device that’s paired with PingOne.

Unpairing your last device or disabling MFA on your administrator account through the PingOne Self-Service - MyAccount app will block your ability to authenticate. You’ll need another administrator to re-enable your account or assist with device pairing.

Steps

  1. In the PingOne admin console, go to Directory > Users and browse or search for the user you want to edit.

  2. Click the user entry to open the user details panel.

  3. Click the Services > Authentication tab.

    A screen capture of the Services > Authentication tab for a user.

  4. In the Multi-Factor Authentication section, enable, disable, bypass, or resume the MFA service for the user:

    • To disable the MFA service, click the toggle and select Disable on the Disable MFA modal.

    • To enable the MFA service, click the toggle and select Enable on the Enable MFA modal.

    • To bypass MFA for a certain amount of time, click Allow MFA bypass. Select a duration in the Bypass modal and then click Bypass.

      The bypass time remaining and a Resume link are shown.

      A screencapture of the Multi-Factor Authentication section showing the bypass time remaining and Resume link.

    • Click the Resume link to resume MFA for the user before the bypass period has passed.

  5. Manage the user’s MFA methods in the Methods section:

    Click an entry to show the date and time that the method or device was paired. For mobile devices that have sent logs, this view also displays the date, time, and support ID of the most recent logs.

    • To change the default device, locate the applicable authentication method, click the More Options (⋮) icon, and then click Make Default.

    • To unpair a method or device, locate the applicable authentication method, click the More Options (⋮) icon and then click Unpair. Unpairing a method removes it from the user profile.

    • To block an MFA method, click the More Options (⋮) icon for the method and select Block. Blocking a method prevents the user from using that method for MFA, but it doesn’t remove the method from the user profile.

      After you block a device, the menu updates to show an Unblock option instead of Block.

  6. (Workforce only) For workforce users, you can disable or bypass specific services and configure PingID settings:

    • To disable a service, locate the applicable service, click the More Options (⋮) icon, and then select Disable.

    • To bypass a service, locate the applicable service, click the More Options (⋮) icon, and then select Bypass. In the Bypass modal, select the bypass duration and click Bypass.

      Bypassing a service suspends the need for a user to authenticate using the secondary authentication method for a specified amount of time. After the specified time elapses, PingOne resumes the service automatically.

    • To configure PingID settings, click Configure Now. Learn more about PingID settings in PingID User Life Cycle Management in the PingID documentation.

  7. Click Save.