Authentication method selection and priority - use cases

Authentication method selection and priority - use cases - PingID

PingID Administration Guide

bundle

pingid

ft:publication_title

PingID Administration Guide

Product_Version_ce

PingID

category

ContentType

Product

Productdocumentation

pingid

ContentType_ce

Product documentation

See the following table for detailed examples of use cases where the configuration at the organization level can affect the implementation of an authentication policy.

Authentication method selection by specific use cases
Use Case	User Paired Devices	Allowed Authentication Methods	Rule Action	Result	Reason
1	SMS (primary) Email	All methods	Email	User is requested to authenticate through email	Although the primary is SMS, the user is requested to authenticate using email as the rule action requires email.
2	Desktop (primary) Email YubiKey	YubiKey	Authenticate	User is requested to authenticate with YubiKey	User is automatically prompted to authenticate using a YubiKey, regardless of whether the configuration is set to Default to Primary or Prompt user to select. This is because the user only has one allowed authentication method paired with their account.
3	The PingID mobile app (primary) SMS Voice	SMS/ Voice/ Email	Authenticate	User is unable to authenticate	Default to Primary: Even though the user’s primary device is disallowed (PingID Mobile app), the user is prompted to authenticate with the device that was enrolled first out of the list of allowed secondary devices. Prompt user to select: the user is presented with a list of secondary devices. The user selects the secondary device with which they want to authenticate.
4	SMS (primary) YubiKey Email	Mobile App Biometrics/ Swipe / One-time passcode	Authenticate	Authentication denied	User does not have one of the allowed authentication methods paired with their account.
5	The PingID mobile app (primary) Desktop Voice	All methods	SMS	Authentication denied	User does not have the required authentication method paired with their account.
6	The PingID mobile app (Swipe disabled)	Mobile App Biometrics/ Swipe	Authenticate	Authentication denied	Swipe is disabled in the PingID mobile app and the user is unable to receive a push notification. As a one-time passcode (OTP) is not included in the Allowed Authentication Methods, the user cannot use an OTP, even if OTP Fallback is enabled.
7	The PingID mobile app (Swipe disabled)	All methods	Mobile App Biometrics (required)	Authentication denied	Mobile App Biometrics (required) permits authentication with biometrics only, and does not allow use of an OTP. “Swipe disabled” prevents the user from receiving a push notification to their device, preventing the user from authenticating with biometrics.
8	The PingID mobile app where: Device supports biometrics Biometrics not defined on device	Mobile App Biometrics	Mobile App Biometrics (required)	The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked.	If a device does not support biometrics, PingID allows the user to authenticate using swipe as an exception. If the device supports biometrics, but biometrics are not defined on the device, the user can use swipe. This is possible because biometrics is enabled (and not required) by the biometrics configuration
9	The PingID mobile app where: Device does not support biometrics Biometrics required at configuration level	Mobile App Biometrics	Mobile App Biometrics (required)	The user is able to authenticate using swipe or their device passcode in the event that their device screen is locked.	Although biometrics is required, because the user’s device does not support biometrics, the user is still able to authenticate with swipe (if device unlocked), or using their device passcode (if device is locked).
10	The PingID mobile app where: Device supports biometrics Biometrics not defined on device Biometrics required at configuration level	Mobile App Biometrics	Mobile App Biometrics (required)	The user is not able to authenticate	Biometrics are required at the configuration level, and biometrics authentication is possible on the user’s device. The user is not able to authenticate because they have not defined biometrics on the device.
11	The PingID mobile app where: Device supports biometrics Biometrics are defined on device Biometrics required at configuration level	Mobile App Biometrics / Swipe	Authenticate	User is able to authenticate with biometrics	Biometrics have a higher priority over swipe, and the user is prompted to authenticate with biometrics.
12	Security key (primary) Email SMS Where the browser used does not provide WebAuthn support required for security key.	All methods	Authenticate	User is able to authenticate with email or SMS	Default to Primary: Even though the user’s primary device is disallowed because the browser does not support WebAuthn, the user is prompted to authenticate with the secondary device that was enrolled first out of the list of allowed secondary devices. Prompt user to select: A security key is not included in the list of devices, as the browser does not support WebAuthn. The user is presented with a list of secondary devices only. The user selects the secondary device with which they want to authenticate.
13	Security key (primary) Email SMS Where the browser used does not provide WebAuthn support required for security key.	All methods	Security Key	User is unable to authenticate	Even though the user has a security key paired with their account, they are signing on using a browser that does not support WebAuthn.
14	The PingID mobile app (primary) Security key Email Where the browser supports WebAuthn. Policy rule authenticating from a new device is applied and requires a security key.	All methods	Security key	User is able to authenticate with a Security key only. In the case of a phishing attack, the user is not able to authenticate with any device.	If authenticating from a new device a security key is required. If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the accessing from new device policy rule. Even though the user has other devices paired, they are prompted to authenticate using a security key only, and cannot change device due to the policy rule restrictions. This configuration guards all devices against a phishing attack.
15	FIDO2 biometrics (primary) Email SMS Where the browser used does not provide WebAuthn Platform support.	All methods	FIDO2 Biometrics	User is unable to authenticate	Even though the user has a FIDO2 biometrics device paired with their account, they are signing on using a browser that does not support WebAuthn.
16	The PingID mobile app (primary) FIDO2 Biometrics Email Where the browser supports a WebAuthn Platform. Policy rule authenticating from a new device is applied and requires a security key.	All methods	FIDO2	User is able to authenticate with FIDO2 only. In the case of a phishing attack, the user is not able to authenticate with any device.	If authenticating from a new device, FIDO2 biometrics device is required. If the user is subject to a phishing attack, PingID can distinguish between a known and a fraudulent copy of a web page. If fraudulent, PingID does not recognize the source and triggers the accessing from new device policy rule. Even though the user has other devices paired, they are prompted to authenticate using a FIDO2 biometrics device only and cannot change device due to the policy rule restrictions. This configuration guards all devices against a phishing attack.