Updating the MFA step in your sign-on policy - PingOne

Updating the MFA step in your sign-on policy - PingOne - PingOne Cloud Platform

PingOne Cloud Platform

bundle

pingone

ft:publication_title

PingOne Cloud Platform

Product_Version_ce

PingOne

PingOne Cloud Platform

Updating the MFA step in your sign-on policy using the admin console

Page created: 4 Nov 2022 |

Page updated: 9 Jan 2023

| 1 min read

PingOne Cloud Platform PingOne Product

Go to Experiences > MFA.
Locate and select your MFA policy.

The Details panel opens.
Click the Pencil icon to enter edit mode.
In the Allowed Authentication Methods section, select the Mobile Applications check box.
Click + Application.
In the Application list, select your native app.
Optional: Select the Auto Enrollment and Device Authorization check boxes:

Auto Enrollment

Allow automatic enrollment of the mobile application to MFA during the authentication flow.

Device Authorization

Allow users to securely sign on to the app on a trusted mobile device, without having to actively go through strong authentication, while a seamless MFA takes place behind the scenes.

Note:
If the user has no usable devices, you can configure automatic enrollment as Bypass or Block.
Click Save.

Configure pushless and TOTP MFA for a mobile application

Updating the MFA step in your sign-on policy using the API

Page created: 4 Nov 2022 |

Page updated: 9 Jan 2023

| 2 min read

PingOne Cloud Platform PingOne Product

The applications parameter is an array of native applications with additional configuration options for automatic enrollment and device authorization.

To update the sign-on policy's MFA action, set the applications parameter values using the following PUT operation:
```
PUT https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies/{{policyId}}/actions/{{mfaActionId}}
{   
    "priority": 1,
    "type": "MULTI_FACTOR_AUTHENTICATION",
    "sms": {
        "enabled": true
    },
    "email": {
        "enabled": true
    },
    "applications": [
    {
      "id": "{{nativeAppId}}",
      "autoEnrollment": {
        "enabled": true,
        "noDevicesMode": "BYPASS"
      },
      "deviceAuthorization": {
        "enabled": true,
        "extraVerification": "permissive"
      }
    }
  ]
}
```
Note:
If the user has no usable devices, you can configure noDevicesMode as BYPASS or BLOCK. For this configuration to take effect, you must provide a signed login_hint_token.

For details, see POST: CREATE Sign-On Policy Action (MFA) in the API reference.

PingOne MFA provides two sample applications for you to quickly get started:
- Developer sample app:
  - Android developer sample app
  - iOS developer sample app
    This application is a showcase app, aimed at developers who want to explore the PingOne Mobile SDK. It implements all the flows that are available using the PingOne Mobile SDK.
- Authenticator sample app:
  - Android authenticator sample app
  - iOS authenticator sample app
    The authenticator sample app is a mobile app that has the sole function of performing strong authentication. This application is a "white label" authenticator app, aimed at organizations that want to easily publish an authenticator app on the applications stores. Its UI and UX are polished for end users as-is, providing the ability to customize colors, icons, and other appearance attributes. All that's required is compilation with branding and credentials, and uploading it to the app store.
As a quick-start, you can clone the apps from their GitHub locations and follow the instructions in the README files.

Note:
To build the apps, you'll need Android Studio or Xcode (iOS).

Configure pushless and TOTP MFA for a mobile application