1. Go to Authentication > Authentication.
  2. Click + Add Policy to create a new policy, or click the pencil icon to edit an existing one.
  3. Click + Add Step.
  4. From the Step Type list, select Multi-Factor Authentication.
  5. From the MFA Policy list, select an MFA policy that has been defined for the environment. For more information on defining MFA policies, see MFA policies.
  6. None or incompatible methods:
    For MFA scenarios in which users attempt to sign on, but do not have any enrolled MFA devices that comply with the permitted Available Methods, choose the flow:
    • Block: Do not permit these users to sign on, because they don't have a usable device for MFA.
    • Bypass: Allow users without a usable MFA device to bypass the MFA flow.

      To leverage the Bypass option, the user must already be authenticated, either by a password (login step), or by supplying a signed login_hint_token in the request object. See login_hint_token in the GET Authorize (Browserless and MFA Only Flows) operation in the PingOne Platform API Reference.

  7. Enter or edit the requirement conditions. If one or more of the following conditions are met, the user will be prompted to use a two-step authentication method.
    • Last sign-on older than. Requires users to sign in if their previous login is older than the configured value.
    • Accessing from IP out of range. Requires users to sign in if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range.
    • Being a member of any of these populations. Requires users to sign in if the user belongs to the specified population or populations.
    • User attributes. Requires users to sign in if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the check box, then click + Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR).
    • IP reputation is high risk. PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. An IP address is considered high risk if it may have recently been involved in malicious activities, such as DDoS attacks or spam activity. Select the checkbox to require MFA when authentication requests come from IP addresses with high risk scores.
      Note: The IP reputation option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the IP reputation feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the IP reputation feature will not be active, and cannot be reactivated with a Premier license.
    • A geovelocity anomaly is detected. PingOne analyzes location data from the user's accessing device. It determines whether travel time between a user’s current login location and their previous login location is possible in the time frame that has elapsed since the previous login. Select the checkbox to require MFA when a geovelocity anomaly is detected.
      Note: The Geovelocity anomaly option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the Geovelocity anomaly feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the Geovelocity anomaly feature will not be active, and cannot be reactivated with a Premier license.
    • Anonymous network detection. PingOne collects and analyzes IP address data of authentication requests from the user's accessing device. Select the checkbox to require MFA when PingOne identifies an IP address as originating from an anonymous network such as an unknown VPN, proxy, or an anonymous communication tool such as Tor. Exclude IP addresses in the Whitelist by entering them in CIDR notation in a comma-separated list.
      Note: The Anonymous network detection option is a feature that is available only in the Global licensing plan and Trial plan. Moving to the Premier plan will leave the Anonymous network detection feature active, until the admin clears it. When cleared, a warning dialog opens, and on confirmation, the Anonymous network detection feature will not be active, and cannot be reactivated with a Premier license.
  8. Click Save.