A common security challenge is verifying that a user requesting access to a protected resource is who they claim to be and that they're permitted to access the requested resource. Protected resources use an authentication service to verify the requesting end user's authenticity.

An authorization process determines whether or not an authenticated user is granted access to the protected resource.


MFA is a process that uses two or more factors to verify an identity.

These factors include:

Knowledge factors

Something you know, such as a user name and password, a PIN, or the answer to a particular challenge.

Although knowledge factors provide some measure of security, they are considered weak authentication factors. They pose a medium to high risk to vulnerability and exposure to unauthorized and unintended users.

Possession factors

Something you have, such as an email address, phone number, hardware token, mobile device, or security key.

Possession factors are stronger than knowledge factors because they are mainly physical devices with a unique ID and should be secure in the possession of their owner.

Inherent factors

Something you are, such as a biometric identifier like a fingerprint, voice, or face recognition.

By their nature, inherent factors are the strongest authentication factors and pose the lowest risk to security vulnerability.

PingOne MFA

PingOne MFA is a cloud-based service that provides MFA for the customer use case that protects an organization’s network, applications, and data resources.

In a typical authentication flow:

  1. A user attempts to access a protected resource that's configured to use PingOne MFA, such as a gated website.
  2. The PingOne MFA server typically sends a notification on an out-of-band (OOB) channel to the user’s authentication device (possession factor), for further verification of the user’s identity.

    The notification to the user is communicated on a separate network channel, isolated from the network channel that the user used when entering their username and password. Use of an OOB channel enhances security, reducing the possibility of man-in-the-middle (MITM), phishing, and other security vulnerability attacks.

    PingOne MFA can secure access even further by requiring a combination of a possession factor together with an inherent factor to successfully complete authentication. For example, PingOne MFA can be configured to require a user to scan their fingerprint (something they are) on their mobile device (something they have).

    In some configurations, the user must perform an action for the authentication request to be successful. In the device authorization use case, the authentication flow happens in the background, and the user gains access without taking any action. The device authorization implementation improves security as well as user experience. The flow depends on the organization's configuration of PingOne MFA.

    For example:

    • If PingOne MFA is configured to provide a one-time passcode (OTP) through SMS, voice or email notification, or Time-based One-Time Password (TOTP) authenticator app, the user must enter that passcode before it expires.
    • If PingOne MFA is configured to authenticate the user through a mobile app, the user receives a notification on their mobile device with an instruction to approve or deny the authentication request.
    • If PingOne is configured to authenticate users through biometrics on a mobile device, the user receives a notification that directs them to scan a fingerprint or do a swipe action in the mobile app.
    • If PingOne MFA is configured for device authorization, the user securely signs on to the app on a trusted mobile device, without having to actively go through strong authentication, while seamless MFA takes place in the background.
  3. Based on the prompt or MFA notification the user received, the user's response action sends a secure notification on an OOB channel to the authenticating PingOne MFA server, closing the OOB communication loop initiated by the PingOne MFA server.
  4. On the basis of the user action causing a positive OOB response back to the authenticating PingOne MFA server, the user is verified as the requester of the authentication request. The PingOne MFA server then sends an authentication approval for the protected resource.

Users can reject an authentication request that is unintended or that they didn't initiate. They can also ignore the authentication request from PingOne MFA and allow it to time out.

PingOne MFA has various configuration options that your organization can use to balance security with convenience and user experience.

These options include:

  • Registration of users and their authentication devices
  • Configuration of permitted and required authentication methods
  • Multiple device support options

    For more information, see MFA policies.

PingOne Mobile SDK

The PingOne Mobile SDK is a set of components and services to help your organization integrate MFA into your Android and iOS native applications. The SDK includes MFA components that you can embed into new or existing mobile applications.

For more information and links to sample apps with basic flows, see PingOne Mobile SDK API in the API developer reference guide.