PingOne

Updating the MFA step in your sign-on policy

Follow the steps in console and application programming interface (API) alternative to update the multi-factor authentication (MFA) step in your sign-on policy.

  • Console

  • API

Updating the MFA step in your sign-on policy using the admin console

Steps

  1. Go to Authentication → MFA.

  2. Locate and select your MFA policy.

    Result:

    The Details panel opens.

  3. Click the Pencil icon to enter edit mode.

  4. In the Allowed Authentication Methods section, select the Mobile Applications check box.

  5. Click Application.

  6. In the Application list, select your native app.

  7. Optional: Select the Auto Enrollment and Device Authorization check boxes:

    Auto Enrollment

    Allow automatic enrollment of the mobile application to MFA during the authentication flow.

    Device Authorization

    Allow users to securely sign on to the app on a trusted mobile device, without having to actively go through strong authentication, while a seamless MFA takes place behind the scenes.

    If the user has no usable devices, you can configure automatic enrollment as Bypass or Block.

  8. Click Save.

Next steps

Updating the MFA step in your sign-on policy using the API

About this task

The applications parameter is an array of native applications with additional configuration options for automatic enrollment and device authorization.

Steps

  • To update the sign-on policy’s MFA action, set the applications parameter values using the following PUT operation:

    PUT https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies/{{policyId}}/actions/{{mfaActionId}}
    {
        "priority": 1,
        "type": "MULTI_FACTOR_AUTHENTICATION",
        "sms": {
            "enabled": true
        },
        "email": {
            "enabled": true
        },
        "applications": [
        {
          "id": "{{nativeAppId}}",
          "autoEnrollment": {
            "enabled": true,
            "noDevicesMode": "BYPASS"
          },
          "deviceAuthorization": {
            "enabled": true,
            "extraVerification": "permissive"
          }
        }
      ]
    }

    If the user has no usable devices, you can configure noDevicesMode as BYPASS or BLOCK. For this configuration to take effect, you must provide a signed login_hint_token.

    For details, see POST: CREATE Sign-On Policy Action (MFA) in the API reference.

    PingOne MFA provides two sample applications for you to quickly get started:

    • Developer sample app:

      This application is a showcase app, aimed at developers who want to explore the PingOne Mobile SDK. It implements all the flows that are available using the PingOne Mobile SDK.

    • Authenticator sample app:

      The authenticator sample app is a mobile app that has the sole function of performing strong authentication. This application is a "white label" authenticator app, aimed at organizations that want to easily publish an authenticator app on the application stores. Its UI and UX are polished for end users as-is, providing the ability to customize colors, icons, and other appearance attributes. All that’s required is compilation with branding and credentials, and uploading it to the app store.

    As a quick-start, you can clone the apps from their GitHub locations and follow the instructions in the README files.

To build the apps, you’ll need Android Studio or Xcode (iOS).

Next steps