PingOne

Configuring pushless and TOTP MFA for a mobile application

A sign-on policy dictates how the user’s identity will be verified when signing on to the system.

In this example, you’ll configure the multi-factor authentication (MFA) step in a sign-on policy for pushless and time-based one-time password (TOTP) authenticator app support. This step is an extension of MFA using a mobile application.

  • Console

  • API

Configuring pushless and TOTP MFA for a mobile application using the admin console

Steps

  1. Go to Authentication → MFA.

  2. Locate your MFA policy and click the entry to open the details panel.

  3. Click the Pencil icon to enter edit mode.

  4. In Allowed Available Methods → Mobile Applications, click Application.

  5. In OTP & Push, select one of the following options:

    Choose from:

    • OTP: TOTP is enabled and Push is disabled.

    • Push (default): Push is enabled and TOTP is disabled.

    • OTP & Push: TOTP and Push are enabled.

  6. Click Save.

Configuring pushless and TOTP MFA for a mobile application using the API

About this task

Application developers can use the API operations to configure TOTP and pushless MFA using a mobile app. The applications parameter is an array of native applications, with additional configuration options for TOTP and pushless MFA.

Steps

  1. To update the sign-on policy’s MFA action, set the applications parameter values using the PUT operation.

  2. To configure the push and one-time passcode (OTP) options to determine the authentication method, set:

    • push.enabled = true and otp.enabled = true for both Push and TOTP

    • push.enabled = true and otp.enabled = false for Push only

    • push.enabled = false and otp.enabled = true for TOTP only

      If you do not create push credentials, only OTP is available.

      Example:

    The complete PUT operation should look like the following:

PUT https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies/{{policyId}}/actions/{{mfaActionId}}
{
    "priority": 1,
    "type": "MULTI_FACTOR_AUTHENTICATION",
    "sms": {
        "enabled": true
    },
    "email": {
        "enabled": true
    },
"applications": [
    {
      "id": "{{nativeAppId}}",
      "autoEnrollment": {
        "enabled": true,
        "noDevicesMode": "BYPASS"
      },
      "deviceAuthorization": {
        "enabled": true,
        "extraVerification": "permissive"
      },
     "push":{
         "enabled":true
      },
      "otp":{
         "enabled":true
      }
    }
  ]
}