To prompt a user to set up their first MFA device:

  1. When Configuring an adapter instance:
    1. Select the Prompt Users to Set Up MFA check box.
    2. If you want to make MFA optional, select the Allow Users to Skip MFA Setup check box.

      This lets the user sign on without adding an authentication method.

  2. When Creating an MFA authentication policy in PingOne, in the None Or Incompatible Methods section, select a default behavior for cases where the user does not have a valid authentication method set up:
    • Block: If the user doesn't have a valid authentication method set up, MFA fails.
    • Bypass: If the user doesn't have a valid authentication method set up, they continue to the next step as if they completed MFA successfully.
    A screen capture which shows the PingOne authentication policy.

After a user completes first-factor authentication, the adapter gets a list of the user's second-factor authentication methods from PingOne. For users that don't have any existing authentication methods, the MFA setup prompt appears.

A screenshot that shows the MFA setup prompt with the Skip option enabled.

The user can click Setup, then select the type of authentication method they want to add. You can include an optional Skip button if you don't want to force users to set up MFA.

To use the MFA setup prompt in an authentication policy, make sure to add the P1 MFA IdP adapter to your authentication policy and configure an MFA step.