How is authentication to the PingOne administrator console changing?

PingOne administrators currently using PingOne sign-on policies to authenticate to the admin console will be required to enable MFA.

During the transition period, administrators sign on to the console, they will be presented with the option to enable mandatory MFA for administrators on a per-environment basis. After the transition deadline, an updated default sign-on policy that requires a second authentication method to be registered and used will be automatically applied to all PingOne environments that do not have mandatory MFA for administrators enabled.

What MFA product is being used, and what methods are provided?

We are making specific methods from the PingOne MFA service (Ping Identity's customer identity MFA product) available for all administrators of the Ping Identity Platform.

The following authentication methods are available for the Administrators environment include:

  • Email
  • Push notifications (TOTP)
  • FIDO2

Some PingOne environments are still using FIDO and must update to a FIDO2 policy to use FIDO2 for administrator sign on. Because it can introduce breaking changes, this is a manual opt-in. Customers must follow these steps to enable FIDO2. FIDO (original) devices will continue to work for administrator authentication, but the new administrator MFA policy will not allow just-in-time (JIT) registration of new FIDO (original) devices. After the new policy has been enabled, it will allow JIT registration of FIDO2 devices.

Only email and push notifications will be available for environments that do not have an administrator license and that are not licensed for PingOne MFA.

What if I am not licensed for PingOne MFA?

Customers do not need to be licensed for PingOne MFA to use MFA for administrator sign-on.

If you are licensed for PingOne MFA, you can add additional methods for authentication, such as FIDO2, to the applicable sign-on policy.

Ping recommends storing all administrator identities in the administrator environment and enforcing phishing-resistant verification methods, such as push notifications or FIDO2.

Note:

For tenants created prior to July 2020, there might not be an Administrators environment and corresponding license. We will be making administrative licenses available to all tenants during the transition period.

What are the new default MFA policy settings for administrators?

  • Restricted methods:
    • SMS
    • Voice
    • Mobile
  • Method selection: user selected default
  • Notification: send email notification when new method or device is paired
  • Allowed authentication methods:
    • Email
      • Passcode failure limit: 3
      • Lock duration: 0 min
      • Passcode lifetime: 30 min
    • Authenticator App (TOTP)
      • Passcode failure limit: 3
      • Lock duration: 2 min
      • Allow pairing: Yes
    • FIDO2
      • Uses the default policy assigned in PingOne

Who will be impacted by this change?

All administrator users of PingOne.

Note:

This change does not apply to PingOne for Enterprise (Legacy) or PingOne for SaaS Apps (Legacy) customers.

Can you make exceptions to this requirement?

We strongly believe that security is paramount and are taking steps to ensure that this process is seamless for all our customers. As such, no exceptions will be made. However, we are soliciting feedback from all customers to inform the timeline needed to adapt to this change. Ping Identity will require MFA for all PingOne administrators in 2024.

Can I turn off the new administrator security setting once I opt in to preview the feature?

Administrators will be able to enable and disable administrator security settings on a per-environment basis for all environments until the end of the transition period when the new Administrator Settings page is available in PingOne.

After the transition deadline, an updated default sign-on policy that requires a second authentication method to be registered and used will be automatically applied to all PingOne environments that do not have mandatory MFA for administrators enabled. This policy cannot be disabled.

How do I prepare my organization to support mandatory MFA?

Ensure all administrators have MFA devices registered (email, TOTP, FIDO2).

Enable the new settings early so that all changes are transparent when the transition deadline passes.

Ping will communicate with all customers when the new security settings management page and inline MFA registration become available.

How do I enable mandatory MFA for my organization and PingOne environments?

  • PingOne administrators with the Organization Admin or Environment Admin roles will be able to enable and disable the new administrator security settings in a new section in the navigation menu, Settings > Administrator Security.
  • PingOne administrator roles without the appropriate permissions will not see the Administrator Security menu item.
  • Environments that do not have the new MFA policy enabled will be automatically migrated at the end of the transition period.

What if I’m using an external identity provider as my authentication source?

If you are using an external identity provider (IdP) as your primary authentication source, you do not need to set up MFA in PingOne because you can set up MFA in your external IdP.

When the administrator MFA security setting is enabled, PingOne will update the location where the authentication policy is configured but no additional changes will be needed. Authentication using the external IdP will remain unchanged.

A new chip will appear on the external IdP connection in Integrations > External IDPs. Deleting or disabling the connection will be prevented when assigned to the administrative console system application.

Screen capture of an external IdP that has the Administrator IdP chip

How will existing sign-on policies map to the new 2-factor verification policy when the migration occurs?

The table below describes how existing sign-on policy configurations will map to the new platform sign-on policy for administrators.

Current Configuration

New Configuration

Username and Password Only (no MFA)

PingOne System Policy: UN, PW, + MFA

Username and Password + MFA (multi-step sign-on policy)

PingOne System Policy: UN, PW, + MFA

Username and Password (PingOne) or External Identity Provider

Authentication source: PingOne + External IDP

External Identity Provider

External Identity Provider (no change)

What will the new sign-on experience look like for administrators?

The sign-on experience for administrators authenticating to PingOne will look and function the same as it does today with one exception: administrators who are used to authenticating with an identifier-first sign-on page (username only) will now be presented with a form to enter username and password.

If the administrator does not already have a relevant MFA method registered (email, FIDO2, or TOTP), they will be walked through the process of registering an MFA method at their next sign-on attempt.

Subsequent sign-on attempts will require a second factor for verification.

How long is the transition period? When will it end?

We are currently soliciting feedback from all customers to inform the timeline needed to adapt to this change. Ping Identity will require MFA for all PingOne administrators in 2024.

Existing customers will have access to an early-access preview within the product to adopt the change on an earlier time frame and will be notified when the new settings become available.

What if I am using the Ping Identity PingOne Terraform Providers?

All Terraform providers distributed and managed by Ping Identity will be updated by the time enforcement is mandatory for all customers.

More questions?

Contact your customer success representative or account executive.