Use basic velocity template variables in the PingOne MFA templates
Made basic variables that are available in most PingFederate HTML templates available in the PingOne MFA templates.
Pair and authenticate a test device
Added the ability to pair a test device when adding a multi-factor
authentication method and authenticating with it. A test device causes an
OTP to be returned directly in the OTP_REQUIRED
response.
Test devices are supported only when initiating OpenID Connect (OIDC) flow in the authentication API.
To pair and authenticate with a test device, you must:
- Add the pi.testDevice parameter to the OIDC request with a value of allow.
- Sign the request object with your OIDC client credentials.
- When submitting the device target in the authentication API request, add
the
testMode
field to the request with a value oftrue
.Note:This applies to the following action models:
submitEmailTarget
,submitSmsTarget
, orsubmitVoiceTarget
. Learn more in Models, objects, and error codes.
Use dynamic linking to give a unique identifier to a FIDO device registration event
Added the ability to use a custom challenge when authenticating with FIDO (webAuthn) devices. This enables you to attach meaningful information to the authentication of a FIDO device.
To provide a custom challenge for FIDO authentication, you must:
- Add the pi.webAuthn.challenge parameter to the OIDC request with the custom challenge as the value.
- Sign the request object with your OIDC client credentials.
Rename device during pairing
Added the ability to give a device a unique nickname during device pairing:
- To configure this setting, select the Allow users to edit nickname during device pairing checkbox when configuring an adapter instance. Learn more in the PingOne MFA IdP Adapter settings reference.
- After you configure the ability to rename devices, users will be presented with a new screen before authentication ends. The user can either enter a nickname and click Done to complete the process, or click Skip if they do not want to give the device a nickname.
- If you are using the authentication API, a new state and two new actions are available. Learn more in Models, objects, and error codes.
View remaining OTP attempts in HTML templates and authentication API responses
Added the ability to view the number of one-time passcode (OTP) attempts remaining after entering an invalid OTP.
- In authentication API responses, the
attemptsRemaining
field displays this information. - In HTML templates that require an OTP, the following error message appears:
This passcode is invalid or has expired. You have <number_of_attempts> attempts remaining.
Bypass MFA for device management operations
Added the ability to bypass MFA when performing device management operations. Be cautious with using this attribute if you only have one adapter in the authentication policy. This results in bypassing MFA in the authentication flow entirely, and can lead to a security breach.
Additionally, the Bypass MFA For Device Pairing Attribute field is now the Bypass MFA For Device Management Attribute field.
Learn more in the PingOne MFA IdP Adapter settings reference.
Overwrite only specific authentication methods
Added the ability to overwrite only the devices that share a device type with a newly provided device if the adapter identifies new values for SMS, voice or email devices via Update Authentication Methods.
Additionally, the Overwrite Authentication Methods checkbox is now the Overwrite Authentication Methods Configurations list.
There are three Overwrite Authentication Methods Configurations settings:
- None (default)
- All (SMS, Voice, and Email)
- Specific Methods
Learn more in the PingOne MFA IdP Adapter settings reference.
Fixed default method persistence
Fixed an issue that caused Overwrite Authentication Methods (now Overwrite Authentication Methods Configurations) to change the default device designation. This was applicable when a new device of the same type as the default device was provided, and the default device was overwritten.
Fixed empty device nickname issue
Fixed an issue that caused devices to save with an empty nickname instead of reverting to the default device name. This was applicable in configurations where Allow Users to Manage Authentication Methods was selected, if a user clicked Edit Name but cleared the field.
Fixed an issue with FIDO usernameless authentication flow ignoring the PingOne authentication policy
Fixed an issue that caused the adapter to always use the default multi-factor authentication (MFA) policy in FIDO usernameless authentication flow instead of the PingOne MFA policy configured in the PingOne Authentication Policy field.
Fixed device registration limit issue with MFA bypass in the authentication API
Fixed an issue that caused users who had already exceeded the device
registration limit to proceed several steps into device registration flow
before the flow failed instead of presenting the
MAXIMUM_ALLOWED_METHODS_LIMIT
error message at the
beginning of the flow. This issue was relevant to configurations that had
the Bypass MFA for Device Pairing Attribute checkbox
(now Bypass MFA For Device Management Attribute)
selected.