An application can have zero or more associated authentication policies that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication steps progress.


The PingOne Admin Console always uses the default authentication policy. Changing the default policy could affect the ability of admins to access the PingOne Admin Console.

Policies are applied in the order in which you add them. The first policy in the list overrides any subsequent policies. The default policy is always used if no policies are applied to an application.

To assign a sign-on policy to an application, see Editing an application.

Note: If an application's authentication policy assignments include only one policy, such as the Passwordless sign-on policy, then the application uses only that policy. If the application has multiple assigned policies, it uses policies in the order they appear in the list.

No authentication policy assignments

Applications that have no authentication policy assignments use the environment’s default authentication policy to authenticate users. Every environment has one designated authentication policy as its default policy. If the environment's default authentication policy changes, then the application's policy changes to use the updated default policy.

One authentication policy assignment

Applications that have one authentication policy assignment always use that policy to authenticate users. For example, if the application has the Single_Factor authentication policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account.

Two or more authentication policy assignments

If an application has two or more assigned authentication policies, the authentication flow uses the policy with the highest priority first. If authentication is successful, the authentication flow is complete. If authentication fails, the flow initiates the authentication policy with the next highest priority. If authentication fails again, the authentication flow initiates the next authentication policy. The authentication flow continues until one of the assigned policies is completed successfully or all policies have been tried and failed.