Create an MFA authentication policy in PingOne MFA to handle Client Initiated Backchannel Authentication (CIBA) authentication requests.
If you already completed the steps in Creating an MFA authentication policy in PingOne, you can skip the steps below and use the same policy for CIBA authentication requests if the policy contains a Mobile Application in the Allowed Authentication Method section. PingOne ignores other authentication methods for CIBA requests.
To create a PingOne authentication policy that you can use for CIBA authentication requests:
- In the PingOne MFA console, go to and click + Add Policy.
Enter a unique policy name and note it.
You will use this name in Configuring a CIBA authenticator instance.
- In the Step Type list, select Multi-factor Authentication.
In the MFA Policy list, select an MFA policy that has a
Mobile Application configured in the
Allowed Authentication Methods section.
To configure settings for the mobile application attached to the MFA policy:
- Select the Native application that you created in Creating an OIDC application in PingOne.
- Leave the Auto Enrollment and Device Authorization check boxes cleared.
In the None Or Incompatible Methods section, select a
default behavior for cases where the user does not have a valid authentication
method set up:
- Block: If the user doesn't have a valid authentication method set up, MFA fails.
- Bypass: If the user doesn't have a valid authentication method set up, they continue to the next step as if they completed MFA successfully.
In the Required When section, configure authentication
The None Or Incompatible Methods and Required When sections have no effect on CIBA requests.
- Click Save.
Add the policy to your Native application:
- In the PingOne MFA console, go to and expand your application.
- On the Policies tab, click + Add Policies or click the Pencil icon, then select the check box for the policy that you created.
- Click Save.