PingOne MFA provides two attributes that can be useful in your PingFederate authentication policy.
pingone.mfa.status attribute
| Value | Description |
|---|---|
com.pingidentity.pingone.web_login_no_devices |
Set when MFA is bypassed for any reason, such as when a user without any trusted devices signs on from the web and the system is configured to bypass authentication for users without a trusted device. |
com.pingidentity.pingone.web_login_sms |
This status is returned on successful SMS authentication from a web sign on flow. |
com.pingidentity.pingone.web_login_email |
This status is returned on successful email authentication from a web sign on flow. |
com.pingidentity.pingone.web_login_mobile |
This status is returned on successful SDK mobile app authentication from a web sign on flow. |
com.pingidentity.pingone.web_login_fido |
This status is returned on successful biometric/security key authentication from a web sign on flow. |
com.pingidentity.pingone.web_login_otp |
This status is returned on successful third-party "timed one-time passcode" (TOTP) authenticator authentication from a web sign on flow. |
com.pingidentity.pingone.mobile_login_sms |
This status is returned on successful SMS authentication when the user signs on from an untrusted mobile device. |
com.pingidentity.pingone.mobile_login_email |
This status is returned when a user signs on with an untrusted mobile device and is authenticated using their trusted email device. |
com.pingidentity.pingone.mobile_login_mobile |
This status is returned on successful mobile authentication when the user signs on from an untrusted mobile device. |
com.pingidentity.pingone.mobile_login_otp |
This status is returned when a user signs on with an untrusted mobile device and is authenticated using their trusted third-party OTP authenticator. |
com.pingidentity.pingone.mobile_login_fido |
This status is returned on successful biometric/security key authentication when the user signs on from an untrusted mobile device. |
com.pingidentity.pingone.MFA_bypassed_during_errors |
A user signs on when the system is configured to bypass authentication if there are network problems or PingOne is unreachable. |
com.pingidentity.pingone.device_paired |
Set when the end-to-end pairing process is completed. That is, the ID token from PingOne has been consumed by the PingOne mobile SDK and the user approved the pairing. |
com.pingidentity.pingone.device_not_paired |
Set when the device is paired through the front channel. The device is reported as not paired because the ID token is returned as part of the attribute contract and cannot be passed to the PingOne mobile SDK until after authentication. Also set as part of the API flow when the device was not paired. That is, the user was denied. |
com.pingidentity.pingone.pairing_error |
Set when there is an error during the pairing flow. |
com.pingidentity.pingone.mfa_bypassed_skip_mfa |
A user with no authentication methods was prompted to set up MFA, but they clicked Skip. |
pingone.mfa.status.reason attribute
pingone.mfa.status attribute is device_paired, this
attribute describes the paired device.| Value | Description |
|---|---|
mobile_login_sms |
The user is using SMS to authenticate. |
mobile_login_email |
The user is using email to authenticate. |
mobile_login_mobile |
The user is using the mobile app to authenticate. |
mobile_login_otp |
The user is using a third-party OTP authenticator to authenticate. |
mobile_login_fido |
The user is using a biometric/security key authenticator to authenticate. |
pingid.sdk.status and pingid.sdk.status.reason
have been added to support PingID SDK adapter migration scenario. For more
information, see PingID SDK adapter core contract attributes.