PingOne MFA authenticates a user by sending a notification to the user's authentication device and then receiving a corresponding response within a specified amount of time.
The permitted notification methods are configured in sign-on policies. For PingOne MFA to send notifications to a user, the user must have at least one authentication device associated with their user profile (also known as device pairing).
In a multi-factor authentication (MFA) environment, the default sign-on policy is a single step of MFA. A user who wants to sign on to the MyAccount UI must have an MFA device in advance, except for the admin, who can sign on to MyAccount from the admin console.
A user needs at least one associated device for PingOne MFA. In this example, your user's authentication device is an email address that receives a one-time passcode (OTP) each time PingOne MFA is triggered.
Enrolling a user authentication device using the admin console
- In a browser window, go to the MyAccount UI at https://apps.pingone.com/<envId>/myaccount/#mfa.
At the sign-on prompt, enter the username and password.
For the purpose of this example getting started flow, you can use your admin account credentials.
- At the top of the page, click Authentication.
- Click Add Method.
- Click Email.
Enter the email address that will receive OTP email
notifications for PingOne MFA.
An OTP email notification is sent to the email address.
- Click Next.
- To complete pairing the email address as an MFA authentication device with the user account, on the Email Pairing page, enter the OTP from the email notification.
The Your Authentication Methods list on the Authentication page shows the email address that you paired.Tip:
For more information and additional configuration options, see Managing your PingOne user profile.
Enrolling a user authentication device using the API
Application developers can use the API operations to enroll a user's authentication device.
Use the following
For details, see POST: CREATE MFA User Device (SMS), POST: CREATE MFA User Device (Email), or POST: CREATE MFA User Device (TOTP) in the API reference.
To complete pairing the device as an MFA authentication device with the user
account, submit the OTP that was received in the notification, by using the
following POST operation:
For details, see POST: Activate MFA User Device in the API reference.