PingOne MFA authenticates a user by sending a notification to the user's authentication device and then receiving a corresponding response within a specified amount of time.
The permitted notification methods are configured in sign-on policies. For PingOne MFA to send notifications to a user, the user must have at least one authentication device associated with their user profile (also known as device pairing).
In a multi-factor authentication (MFA) environment, the default sign-on policy is a single step of MFA. A user who wants to sign on to the MyAccount UI must have an MFA device in advance, except for the admin, who can sign on to MyAccount from the admin console.
A user needs at least one associated device for PingOne MFA. In this example, your user's authentication device is an email address that receives a one-time passcode (OTP) each time PingOne MFA is triggered.
Enrolling a user authentication device using the admin console
Enrolling a user authentication device using the API
Application developers can use the API operations to enroll a user's authentication device.