Note:

If a new authentication method is added as a PingID capability and the All Methods check box is not selected in the Allowed Authentication Methods section, you must edit each policy and select the check box of the new authentication method manually to include it in a policy.

A description of the allowed authentication methods is shown in the following table.

Authentication methods allowed per policy
Allowed Authentication Method Description

All Methods

Permit the use of all authentication methods currently configured for the organization.

When the All methods check box is selected:

  • All available authentication methods are permitted at the policy level.
  • If additional authentication methods are added to PingID in the future, they are automatically applied to the policy.
  • Within a policy rule, all available authentication methods are listed in the rule Actions list.
  • Deprecated authentication actions appear and can be selected in policy rule Actions list. See Deprecated authentication actions.

If the All methods check box is not selected:

  • Only the specific authentication methods selected in the Allowed Authentication Methods list are available for the user to authenticate.
  • If additional authentication methods are added to PingID in the future, they are not applied to existing policies automatically. Existing policies must be edited individually and the new authentication method added manually in order to apply it to the policy.
  • Within a rule, only the selected authentication methods are listed in the authentication actions in addition to relevant default actions, such as Approve, Deny, and Authenticate.
  • Deprecated authentication actions are not available in the policy rule Actions list.

Authenticator app

Authentication using an authenticator app, such as Google authenticator, is permitted.

Backup Authentication

Authentication using a backup authentication method is permitted. This option is useful if a user forgets their device, or it is lost or stolen.

The Forgot your device? link only appears if:

  • Either the Authenticate rule action, or a rule action that includes a mobile device authentication method such as Mobile App Biometrics, is configured.
  • At least one backup authentication method is defined. See Configuring backup authentication methods.

Desktop

Authentication by a desktop app is permitted.

Email

Authentication by email is permitted.

FIDO2 Biometrics

Authentication by a FIDO2 biometrics device is permitted for web-based policies only.

Mobile App Biometrics

Authentication by a supported biometrics devices is permitted and applied according to the configuration defined in the Admin portal.

Number matching

 Authenticate by number matching is permitted.
  • Number matching has priority over Mobile App Biometrics and Swipe authentication methods.
  • If Mobile app biometrics is set to Require in the Configuration tab, the user must authenticate successfully using biometrics and then authenticate using number matching.
  • Number matching is only supported by apps that are using web-based authentication.

Oath Token

Authentication using an OATH Token is permitted.

One-time passcode

Authentication using a one-time passcode (OTP) obtained using PingID mobile app is permitted.

Important:

If this option is not selected, fallback to a OTP and direct passcode usage are not allowed, even if it is enabled in the Configuration page.

SMS

Authentication using an OTP obtained through SMS is permitted.

Security Key

Authentication using a security key is permitted for web-based policies only.

Swipe

Authentication using swipe is permitted.

Voice

Authentication using an OTP obtained through voice message is permitted.

YubiKey

Authentication using a YubiKey is permitted.