Authentication policies dictate how the user's identity will be verified. For example, a single-factor authentication policy requires a single piece of evidence to verify a user's identity, such as a password. A multi-factor policy could require evidence to verify a user's identity, such as a TOTP authenticator app, FIDO2 biometrics, a push notification sent to the user's mobile device, or a one-time passcode sent over SMS, voice or email. You can also use multi-factor authentication to set up passwordless authentication. You can determine whether users who do not have any enrolled MFA devices are permitted to bypass the MFA flow, or are blocked from sign-on.

In PingOne MFA, the multi-factor authentication step is the only policy step that the admin can configure. Any other authentication steps must be configured externally to PingOne MFA.

For each authentication policy, you can set a condition that determines whether the policy will be applied. For example, the Single_Factor policy can include a condition that requires users to sign on if the most recent sign-on occurred more than eight hours ago. If no conditions are specified, users will be required to sign on every time they access the application.