PingOne

Managing authentication methods

From your PingOne user profile you can add, rename, or delete one or more authentication methods. You can also define your default authentication method.

Before you begin

To enable users with more than one authentication method to define a default multi-factor authentication (MFA) method, you must enable the User-selected default option. See Configuring MFA settings.

A user might not be able to use their default device for various reasons, such as:

  • If a user tries to authenticate from a mobile device and device authorization is allowed, then the device authorization occurs.

  • If a user has a FIDO device with an active session, this device is used to authenticate the user even if the user changes their default device.

  • If policy rules disallow the default device.

About this task

You can add different devices, such as a security key or phone biometrics for authentication. You can also add multiple authentication methods that use the same physical device. For example, you could set up MFA using SMS, voice, FIDO2 biometrics, and an authenticator app on a single mobile device. The devices available are defined by your organization.

You should add at least two MFA methods. The methods listed are defined by your administrator, and might vary between environments.

Steps

  1. Go to your profile, click the My Profile tab, and then click the Authentication tab.

  2. Click Add Method.

    Result:

    The Select Method window opens, listing the methods available for you to add. The options available are defined by your organization.

    Select method window showing a list of available authentication methods.

  3. Select the authentication method you want to add and follow the instructions to pair that authentication method:

    • PingID mobile app: Download and open PingID mobile app and then scan the QR code. Accept all permissions and authenticate to complete the pairing process.

    • Authenticator app: Use a third-party authenticator application, such as Google Authenticator. Open the authenticator application and scan the QR code or enter the passcode. Click Next. Enter the passcode from the authenticator application to complete pairing.

    • PingID desktop app: Download and install PingID desktop app. Open the app and enter the pairing key that’s displayed in MyAccount to complete pairing.

    • Text message: Use a text message (SMS) with a one-time passcode (OTP) to authenticate. Enter the phone number and click Next. Enter the OTP you received to complete pairing.

    • Voice: Receive a voice call with an OTP to authenticate. Enter the phone number and click Next. Enter the OTP you received to complete pairing.

    • Email: Use an email message with an OTP to authenticate. Enter an email address and click Next. Enter the OTP you received to complete pairing.

    • FIDO2 biometrics: Use FIDO2 biometrics on compatible devices to authenticate. On your device, sign on or enter your password to complete pairing.

    • Passkeys: Select your account and click Continue, or click Save another way and follow the prompts to choose where you want to save your passkey.

    • YubiKey: Insert the Yubikey, tap it, and then click Verify.

    • Hardware Token: Enter the serial number of the hardware token, as it appears on the back of your token and follow the steps to authenticate and complete pairing.

      Result:

      The authentication method is listed on the Authentication tab in the Your Authentication Methods section. Repeat this step to add another authentication method, if required.

    Authentication tab showing a list of the authentication methods paired with a user’s account.

  4. After adding an authentication method, you can optionally do the following:

    Option Description

    Set a default authentication method

    If you added more than one MFA method, to define your default method, click the hamburger menu next to the relevant MFA method and then click Set As Default.

    The authentication methods available depend on your company policy, and other factors, such as the browser you’re using, so your default authentication method might not always be available for authentication.

    Rename an authentication method

    Click the hamburger menu next to the authentication method you want to set as default, and then click Edit Name. Enter a meaningful name for the authentication method, and select the checkmark. Names of up to 100 characters are supported.

    Remove an authentication method

    Click the hamburger menu next to the authentication method you want to remove, and then click Remove.

    Ensure that you leave at least one authentication method. If you remove all authentication methods, you might lock yourself out of the application.