The following figure illustrates an enrollment scenario. This flow is triggered any time a user attempts to authenticate with an unpaired device and automatic pairing is enabled in PingOne.

The PingOne MFA device pairing flow including the PingOne MFA IdP Adapter


  1. The user is identified on the customer's mobile app, usually with a unique user identifier, for example, a username. The app requests a mobile payload from the PingOne Mobile SDK.
  2. The PingOne Mobile SDK returns a mobile payload to the app.
  3. The apps sends an authentication request to PingFederate and provides the mobile payload.

    The PingFederate authentication policy stores the mobile payload as a tracked HTTP parameter.

  4. If the user has SMS, email, or another device paired, the PingOne policy is triggered. Typically, the user authenticates with the existing device and the PingOne MFA IdP Adapter responds with an ID token.

    If the user does not have an existing device available, a PingOne setting determines whether the user is blocked or if MFA is bypassed. If MFA is bypassed, the automatic pairing flow continues.

  5. The app passes the ID token to the PingOne Mobile SDK.
  6. The PingOne Mobile SDK returns a pairing object to the app that allows it pair or ignore the device.
  7. The app prompts the user to pair the device.
  8. The user accepts or rejects the device pairing action.
  9. Based on the user's choice, the app notifies the PingOne Mobile SDK.
  10. The PingOne Mobile SDK completes the transaction accordingly by communicating directly with PingOne.