--- title: Configuring an MFA policy for strong authentication description: Configure the multi-factor authentication (MFA) policy. Here you can add and configure the relevant authentication methods. You can then add the MFA policy as a step to your authentication policy. component: pingone page_id: pingone:strong_authentication_mfa:p1_creating_an_mfa_policy_for_strong_auth canonical_url: https://docs.pingidentity.com/pingone/strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html revdate: March 30, 2026 section_ids: before-you-begin: Before you begin steps: Steps choose-from: Choose from: choose-from-2: Choose from: result: Result: next-steps: Next steps --- # Configuring an MFA policy for strong authentication Configure the multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* policy. Here you can add and configure the relevant authentication methods. You can then add the MFA policy as a step to your authentication policy. ## Before you begin * Optionally configure MFA general settings, including the maximum number of MFA methods allowed per user, authentication method selection, and account lockout settings. Learn more in [MFA Settings](../authentication/p1_mfa_settings.html). * Workforce environments with legacy FIDO2 implementation: When creating a new MFA policy, legacy FIDO2 security key and FIDO2 biometrics authentication aren't supported. Learn about how to update your MFA policy to support FIDO2 authentication in [Updating an existing MFA policy to use FIDO2](p1_updating_an_mfa_policy_to_fido2.html). * (Customer only) Configure an authentication policy with an MFA step. Learn more in [Authentication policies](../authentication/p1_authenticationpolicies.html). | | | | - | ------------------------------------------------------------------------------------ | | | In a Workforce environment, PingOne automatically creates the authentication policy. | * Some authentication methods have configuration steps that you must complete in addition to configuring the MFA policy. Some of these additional configuration steps are compulsory (such as configuring an application for PingID mobile app or configuring a FIDO policy for FIDO2 authentication), and some are optional (such as configuring a notification template for SMS and voice authentication). Learn more about the configuration options, as well as any limitations or requirements for each authentication method, in [Configuring strong authentication methods (MFA)](p1_configuring_strong_authentication_start.html). To create an MFA policy: * Configure the relevant MFA policy settings for the authentication methods that you want to enable. * If the authentication method requires additional configuration, make sure to complete the additional configuration steps, as outlined in this procedure. ## Steps 1. Go to **Authentication > MFA**. 2. On the **MFA Policies** page, click the **[icon: plus, set=fa]**icon. 3. In the **Name** field, enter a meaningful name for the policy. The maximum length is 256 characters. 4. In the **Method Selection** list, select which authentication device is presented first to users with more than one paired device. ### Choose from: * **User selected default**: Allow the user to authenticate with the device they selected as their default device. * **Prompt user to select**: If more than one method is available, at the authentication prompt, the user must select which paired authentication device to use. * (Workforce only) **Always display devices**: Even if the user has only one permitted authentication method paired with their account, the user is prompted to select an authentication method. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne doesn't apply the **Method Selection** setting if you've enabled device authorization, and the user is accessing an application from a trusted mobile device. Similarly, PingOne doesn't apply the setting if the user tries to access the application with a browser they previously used for FIDO2 authentication. In such cases, FIDO2 is used. | 5. In the **Notification Policy** list, select the notification policy you want to apply to the MFA policy, or select **Use the default policy** to select the default notification policy defined for the environment. Learn more in [Notification Policies](../user_experience/p1_creating_a_notification_policy.html). 6. In the **Send notification when new device paired** list, select how to notify the user when a new device is added to their account. ### Choose from: * **No notification**: User shouldn't be notified. * **By email, else SMS**: By email (or by SMS if no email address available in the user profile). * **By SMS, else email**: By SMS (or by email if no phone number available in the user profile). 7. To apply the MFA policy during authentication, even if the user account is locked, select the **Skip user lock verification** checkbox. 8. **Remember me**: This feature allows users that have authenticated successfully at least once to skip MFA on their next authentication for a specified time period. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The workflow for this feature depends on your use case:- Customer use cases: you'll need to use the PingOne API to implement "remember me" functionality in your web applications. Learn more in [Remembered Devices](https://developer.pingidentity.com/pingone-api/mfa/users/remembered-devices.html). - Workforce use cases: * This feature is only available in environments that include the PingID service and requires PingID adapter 2.17 or later. * For the Singapore geography, use DaVinci to create this functionality. * When using PingID with PingOne for authentication and registration flows, enable the "remember me" option in the MFA policy and then reference the relevant MFA policy in your risk policy. For an example, see [Using predictors to recreate legacy PingID policy rules](../threat_protection_using_pingone_protect/p1_protect_recreating_legacy_pingid_rules.html). | 1. Under **Remember Me Configurations**, select **Web Session**. 2. Set how long the system should remember a device after a user authenticates (minimum 1 hour, maximum 90 days). 9. Enable and configure the authentication methods you want to provide for your users: > **Collapse: (Customer only) Mobile applications** > > 1. Click **[icon: plus, set=fa]\(Add Applications)**, select the name of the mobile application to use from those you have defined for the environment, and click **Save**. Learn more about creating an application in [Applications](../applications/p1_applications_menu.html). > > 1. Define the following fields for the application: > > * **OTP & Push**: The mechanism to use to allow the user to authenticate. > > Choose from: > > * **Push**: Use only the standard push mechanism. > > * **OTP**: Use only OTPs. > > * **Push & OTP**: Use the standard push mechanism and allow OTP as a backup mechanism. > > * **Push Notification Timeout**: The amount of time that a user has to respond to a push notification before it expires. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Device Integrity**: Define how authentication and registration attempts should proceed in the event that a device integrity check yields inconclusive results. Select **Permissive** if you want to allow the process to continue. Select **Restrictive** if you want to block the user in such situations. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | The **Permissive/Restrictive** buttons display only if you enable device integrity checking for the application on the **Mobile** tab of the **Applications** definition page. | > > * **Number Matching**: Enable this option if you want the mobile push to require the user to match a number that they were shown when requesting access. To specify how matching is carried out, select one of the number matching options on the **Mobile** tab of the **[Application](../applications/p1_edit_application_native.html)** page for the relevant application. > > * **Auto Enrollment**: Auto Enrollment means that the user can authenticate from an unpaired device, and the successful authentication results in the pairing of the device for MFA. To enable, select the checkbox. > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | To allow automatic enrollment even if the user doesn't have any existing paired devices, go to the authentication policy that you created. In the MFA step, verify that **None or Incompatible Methods** is set to **Bypass**. Learn more in [Editing an authentication policy](../authentication/p1_edit_auth_policy.html). | > > * **Device Authorization**: When enabled, the trusted device handles the authentication automatically without user involvement. This automatic mechanism is used only if the user is requesting access from the same device. To enable, select the checkbox. > > Select the **Device Authorization** checkbox and then choose one of the following options for **Extra Verification**: > > * **Disabled**: Don't use an extra verification step. > > * **Permissive**: The system sends a push to the device for automatic handling. If the device doesn't receive the push, the system still grants access. > > * **Restrictive**: The system sends a push to the device for automatic handling. If the device doesn't receive the push, the system doesn't grant access. > > * **Pairing Key Lifetime**: Indicate how much time an issued pairing key can be used until it expires. > > * **Limit Push Notifications**: Use this option to help you prevent attacks based on repeated push notifications that lead users to eventually accept the request. Define the number of consecutive push notifications a user can ignore or reject within a defined period before push notifications are blocked for the application: > > * **Push Limit**: The number of notifications that a user can decline or ignore (1 - 50). > > * **Time Period**: Time period during which the notifications are counted towards the limit (1 minute - 120 minutes). > > * **Lock Duration**: Duration for which the device is blocked (2 - 30 minutes). > **Collapse: (Workforce only)** > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | If you haven't already done so, configure the PingID mobile app. You can also do this after you finish configuring the MFA policy. Learn more in [(Workforce Only) Configuring the PingID mobile application settings](p1_configuring_pid_mobile_application.html). | > > 1. In the **Mobile Applications** section, configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an one-time passcode (OTP) *(tooltip: \
> \

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

> \
)* entry can fail. > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit** (2 - 30 minutes). > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > 2. Under **Add Applications**, **PingID mobile**, configure the following PingID mobile app-specific fields: > > * **Authentication request timeout**: Define the amount of time given before an authentication request times out. > > * **Device Timeout**: Defines the amount of time until the push notification reaches the device. The default is 25 seconds. > > * **Total Timeout**: Defines the amount of time the user has to complete the authentication request. The default is 40 seconds. > > **Total Timeout** must exceed **Device Timeout** by at least 15 seconds. > > * **Pairing Key Lifetime**: Indicate how much time an issued pairing key and QR code can be used until they expire (minimum 1 minute, maximum 48 hours). > > * **Allow Pairing**: Select the checkbox to allow users to pair PingID mobile app. To only allow users from specific IP addresses to pair PingID mobile application, in the list, select **Only these addresses**, and then enter the IP addresses in the format shown in the field. > > 3. **Limit Push Notifications**: Use this option to help you prevent attacks based on repeated push notifications that lead users to eventually accept the request. Define the number of consecutive push notifications that a user can ignore or reject within a defined period before push notifications are blocked for the application: > > 1. **Push Limit**: Number of notifications a user can decline or ignore (1 - 50). > > 2. **Time Period**: Time period during which the push notifications are counted towards the push limit (minimum 1 minute, maximum 120 minutes). > > 3. **Lock Duration**: Duration for which the device is blocked from authenticating. (1 second - 120 minutes.) > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Limiting the number of push notifications that can be declined or ignored can reduce the likelihood of a user acknowledging a malicious push notification as part of an MFA fatigue attack. | > > 4. (Optional) Enable the following authentication options for users of PingID mobile app: > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Only the options that are enabled here are available as an Allowed Authentication Method in PingID policy. You can find more information about PingID policy in [Creating a risk policy for registration and authentication](p1_configuring_pid_policy.html). | > > * **Push Notification**: Send push notifications to the user's device to notify them of an authentication request. > > * **One-Time Passcode**: Allow the user to use a one-time passcode (OTP) to authenticate. The OTP can be used to authenticate even when offline. > > * **Biometrics**: Allow the user to authenticate with their device biometrics, such as face or fingerprint authentication. > > * **Number Matching**: Allow the user to authenticate by matching the number displayed on the user's accessing device with the corresponding number in PingID mobile app. > **Collapse: ** > > * In the **Allowed Authentication Methods** section, select the **Authenticator App** checkbox and then configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | In authentication flows that implement one-time authentication with the PingOne MFA API, users aren't blocked after exceeding the configured passcode failure limit, even if you specify a blocking period in the MFA policy. | > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit** (2 - 30 minutes). > > * **Passcode Grace Period**: Authenticator app passcodes are valid for 30 seconds (refresh duration). However, to cover time synchronization issues, there is a default grace period of 5 times the refresh duration in each direction. Taking the grace period into account, the passcode is valid for the base 30 seconds plus 5 x 30 = 150 seconds behind the time of issue and 150 seconds past the expiration time. Use **Passcode Grace Period** to shorten or lengthen this period. Each window represents 30 seconds in both directions. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > * **Show application name**: To help users recognize which application the OTP displayed in their authenticator app is for, select this option and provide the text to display alongside the OTP. If you're using the same MFA policy for multiple applications, use a name that reflects the group of applications. > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | If you provide an application name, remember that the name is set for each user when they pair their device. If you update the name later, the new name is displayed only to users who paired their device after the update. | > **Collapse: (Workforce only)** > > * In the **Allowed Authentication Methods** section, select the **YubiKey** checkbox and then configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | In authentication flows that implement one-time authentication with the PingOne MFA API, users aren't blocked after exceeding the configured passcode failure limit, even if you specify a blocking period in the MFA policy. | > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit** (2 - 30 minutes). > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > **Collapse: ** > > * In the **Allowed Authentication Methods** section, select the **Email** checkbox, and then configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | In authentication flows that implement one-time authentication with the PingOne MFA API, users aren't blocked after exceeding the configured passcode failure limit, even if you specify a blocking period in the MFA policy. | > > * **Lock Duration**: PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit**. Accepted values range from 0 seconds - 30 minutes. > > * **Passcode Lifetime**: The amount of time the passcode is valid before it expires (maximum 30 minutes). > > | | | > | - | ------------------------------------------------------------- | > | | An OTP is valid for 30 minutes by default (refresh duration). | > > * **Passcode Length**: Configure the length of the OTP (6 - 10 digits). The default is 6. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | The following options are only available in Workforce environments:- To prepopulate or restrict user registration with user directory data, follow the instructions in [Pre-populating or restricting user registration data](p1-strong-auth-pre-populate-or-restrict.html) > > - To configure email authentication as a backup authentication method, follow the instructions in [Configuring backup authentication methods](https://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_backup_authentication_methods.html). | > **Collapse: ** > > 1. In the **Allowed Authentication Methods** section, select the checkbox for the relevant authentication method, and then configure the following fields for each method that you want to add: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | In authentication flows that implement one-time authentication with the PingOne MFA API, users aren't blocked after exceeding the configured passcode failure limit, even if you specify a blocking period in the MFA policy. | > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit**. Accepted values range from 0 seconds - 30 minutes. > > * **Passcode Lifetime**: The amount of time the passcode is valid before it expires (maximum 30 minutes). > > | | | > | - | ------------------------------------------------------------- | > | | An OTP is valid for 30 minutes by default (refresh duration). | > > * **Passcode Length**: Configure the length of the OTP (6 - 10 digits). The default is 6. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > 2. Configure all other SMS or voice-related configurations, including creating notification templates, limiting the number of SMS or voice messages that a user can send, localizing messages, and creating a custom sender account. Learn more in [Configuring SMS and voice authentication](p1_strong_auth_sms_voice_authentication.html) > **Collapse: (Customer only)** > > * In the **Allowed Authentication Methods** section, select the **WhatsApp** checkbox, and then configure the following fields. > > | | | > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | You can only select the **WhatsApp** checkbox if you define your WhatsApp Business account as a sender in PingOne. Learn more in [Configuring a custom WhatsApp sender account](../settings/p1-using-a-custom-whatsapp-sender-account.html). | > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | In authentication flows that implement one-time authentication with the PingOne MFA API, users are not blocked after exceeding the configured **Passcode Failure Limit**, even if you specify a blocking period in the MFA policy. | > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit** (2 - 30 minutes). > > * **Passcode Lifetime**: The amount of time the passcode is valid before it expires (maximum 30 minutes). > > * **Passcode Length**: Configure the length of the OTP (6 - 10 digits). The default is 6. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > **Collapse: ** > > | | | > | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Two FIDO policies are available out-of-the-box. You can modify an existing policy or create additional FIDO policies. Learn more in [FIDO policies](../authentication/p1_fido_policies.html). | > > * In the **Allowed Authentication Methods** section, select the **FIDO2** checkbox, and then configure the following fields. > > * **Failure Limit**: Define the maximum number of times that a FIDO attestation or assertion can fail. > > | | | > | - | --------------------------------------------------------------------------------------- | > | | The failure limit counts only attestations and assertions that reach the PingID server. | > > * **Lock Duration**: The amount of time that the authentication method is locked if the **Failure Limit** is exceeded. Accepted values range from 2 - 7 minutes. Default value is 3 minutes. > > * In the **Allowed Authentication Methods** section, select **FIDO2** and in the **FIDO Policy** field, select the FIDO policy that you want to apply, or select **Use the default policy** to use the default FIDO policy. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > | | | > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | If you're editing an existing MFA policy that's using a deprecated FIDO Biometrics or Security Key authentication method, you'll need to replace it with the FIDO2 authentication method and reference an enhanced FIDO policy. Learn more in [Updating an existing MFA policy to use FIDO2](p1_updating_an_mfa_policy_to_fido2.html). | > **Collapse: (Workforce only)** > > * Select **PingID Desktop**, and then configure the relevant fields. > > | | | > | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | * To configure PingID desktop app, you must enable users to register and manage the PingID desktop app and other devices from [MyAccount](../user_experience/p1_using_myaccount_to_manage_wf_devices.html). | > > * **Failure Limit**: Define the maximum number of times that a PingID desktop app attestation or assertion can fail (1 - 7). This limit applies specifically to server assertion failures rather than client-side authentication errors. > > * **Lock Duration**: The amount of time this authentication method is locked if the **Failure Limit** is exceeded. Accepted values range 0 seconds - 30 minutes. > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > * **Relying Party Domain**: Select the unique identifier that represents the website or application requesting the user's authentication (update the default value, **pingone.com**, for the relevant geography). > > * **Relying Party ID**: Select the relevant Relying Party ID (RPID). > > * You can find complete details of configuration requirements, including how to install the PingID desktop app in [(Workforce only) Configuring the PingID desktop application](p1_pid_desktop_app_start.html). > **Collapse: (Workforce only)** > > | | | > | - | ------------------------------------------------------------- | > | | PingID desktop app isn't available in the Singapore geography | > > 1. Select **PingID desktop app (legacy)**, and then configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > * **Lock Duration**: The amount of time this authentication method is locked if the **Failure Limit** is exceeded. Accepted values range 0 seconds - 30 minutes. > > * **Pairing Key Lifetime**: Indicates the amount of time the pairing key and QR code remain valid before they expire. (Minimum 1 minute, maximum 48 hours). > > * **Allow Pairing**: Select the checkbox to allow users to pair **PingID desktop app (legacy)**. To only allow users from specific IP addresses to pair PingID mobile application, in the list, select **Only these addresses**, and then enter the IP addresses in the format shown in the field. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > 2. After you complete and save the MFA policy, you can add a proxy and add a security PIN for PingID desktop app (legacy) in the **PingID desktop app (legacy)** application settings. Learn more in [PingID desktop app (legacy)](p1_pid_desktop_app_v1.html). > > | | | > | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | Learn more about the difference between the different PingID desktop app versions in [PingID desktop app (workforce only)](p1_pid_desktop_app_version_overview.html). | > **Collapse: ** > > 1. In the **Allowed Authentication Methods** section, select the **OATH Token** checkbox, and then configure the following fields: > > * **Passcode Failure Limit**: The maximum number of times that an OTP entry can fail (1 - 7). > > * **Lock Duration**: The amount of time PingOne locks the authentication method if the user exceeds the **Passcode Failure Limit** (0 seconds - 30 minutes). > > * **Allow Pairing**: To prevent users from pairing their device with this authentication method, clear the checkbox. > > * **Rename device during pairing**: Select the checkbox to allow users to define a device nickname during the pairing flow. > > 2. Click the **Configure OATH tokens** link. The OATH token configurations panel opens, showing a list of previously saved tokens. To add an OATH token, do the following: > > 1. Click **Import Token**. > > 2. In the **Import OATH Token** modal, click **Choose File**, and navigate to the token seed file. Learn more about the token seed format in [Configuring OATH token authentication](p1_pid_oath_tokens.html). > > 3. Select the **Token Type**. > > | | | > | - | ------------------------------------------------------------------------------ | > | | The token type and OTP length are applied to all entries in the imported file. | > > 4. If you selected a TOTP **Token Type**, select the **Algorithm** you want to use and the **Refresh Interval**. > > | | | > | - | ----------------------------------------------------------------------------------- | > | | The algorithm and refresh interval are applied to all entries in the imported file. | > > 5. Click **Import**. The new tokens appear in the list. > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | * You can find a list of prerequisites and supported OATH tokens in [Configuring OATH token authentication](p1_pid_oath_tokens.html). > > * Make sure your OATH seed token is valid and isn't already in use. If your seed file contains entries that duplicate an existing token, an `Incomplete Token Report` error displays. > > * To revoke one or more OATH tokens, select the checkbox next to the tokens you want to revoke, and then click **Revoke**. > > * To export token details to a downloadable .CSV file, select the checkbox next to the tokens you want to revoke, and then click **Export CSV**. | 10. Click **Save**. ### Result: The policy is added to the **Policy** list. | | | | - | ---------------------------------------------------------------------------------------------------------------------------- | | | In the **Policy** list, click a policy to view a summary of the policy details in the right pane or edit an existing policy. | ## Next steps * If you haven't already, add the MFA policy to the MFA step in the relevant Authentication policy. Learn more: [Adding a multi-factor authentication or PingID step](../authentication/p1_add_mfa_step.html). This is done automatically for PingID. * Optionally configure Notification Templates to inform users about device pairing and strong authentication events. Learn more in [Notification Templates](../user_experience/p1_notifications.html).