Tip:

The PingOne MFA IdP Adapter can add and remove authentication methods and set a default method, but it cannot update a method's nickname.

If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.

Automatic authentication method provisioning

The PingOne MFA IdP Adapter supports automatic pairing for SMS, voice, and email authentication methods, which use one-time passcodes (OTPs). The adapter creates the user and associated authentication methods from attributes in the PingFederate authentication policy.

For details, see Enabling user and authentication method provisioning.

Prompting users to set up their first authentication method

The PingOne MFA IdP Adapter allows you to prompt users to set up their first multi-factor authentication (MFA) method.

For details, see Enabling the MFA setup prompt.

Allowing users to manage authentication methods

When the Allow Users To Manage Additional Authentication Methods check box is selected in the PingOne MFA IdP Adapter configuration, users can add or remove a new authentication method when they sign on.

Note:

This option is only available to users who authenticate with an existing authentication method.

Users can pair any PingOne authentication method, including:
  • Authenticator apps, such as Google Authenticator
  • SMS message
  • Voice call
  • Email
  • Mobile app built with the PingOne SDK
  • FIDO2 biometrics
  • Security key

They can also remove any of these authentication methods.

Alternately, users can manage their authentication methods directly through the PingOne MFA self-service URL. For details, see Signing in to self-service and Managing authentication methods in the PingOne MFA documentation.

Default authentication methods

On the authentication method selection page, users can set a default authentication method.


Screen capture showing the

When a default method is set, the PingOne MFA IdP Adapter skips the selection screen. Users can select a different authentication method if they don't want to continue with the default.

This capability is available when the User-selected default option is turned on in PingOne. For details and limitations, see the Setting the default authentication method section of Managing authentication methods in the PingOne documentation.

Device integrity checks

When you create a Native application in Creating an OIDC application in PingOne, you have the option to turn on a device integrity check. This check identifies jailbroken iOS devices and rooted Android devices. When the check is enabled, users can't pair or authenticate with compromised devices.

When a user authenticates through the PingOne MFA IdP Adapter, PingOne reports whether the device passed the integrity check.

When a device fails, one of the following happens:
  • If you're using the PingFederate authentication API, your application receives an MFA_FAILED status with the code DEVICE_INTEGRITY_FAILED.
  • If you're using the PingFederate web interface, the PingOne MFA IdP Adapter shows an error page to the user.
    Screen capture showing the error message that results from a failed device integrity check .

You don't need to change anything in the PingOne MFA IdP Adapter configuration to support device integrity checks. Just turn them on in your PingOne Native application settings.