Updating the MFA step in your sign-on policy - PingOne Cloud Platform - PingOne

PingOne Cloud Platform

bundle
pingone
ft:publication_title
PingOne Cloud Platform
Product_Version_ce
PingOne Cloud Platform
PingOne
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

Updating the MFA step in your sign-on policy using the admin console

  1. Go to Authentication > MFA.
  2. Locate and select your MFA policy.

    The Details panel opens.

  3. Click the Pencil icon to enter edit mode.
  4. In the Allowed Authentication Methods section, select the Mobile Applications check box.
  5. Click + Application.
  6. In the Application list, select your native app.
  7. Optional: Select the Auto Enrollment and Device Authorization check boxes:
    Auto Enrollment

    Allow automatic enrollment of the mobile application to MFA during the authentication flow.

    Device Authorization

    Allow users to securely sign on to the app on a trusted mobile device, without having to actively go through strong authentication, while a seamless MFA takes place behind the scenes.

    Note:

    If the user has no usable devices, you can configure automatic enrollment as Bypass or Block.

  8. Click Save.

Configure pushless and TOTP MFA for a mobile application

Updating the MFA step in your sign-on policy using the API

The applications parameter is an array of native applications with additional configuration options for automatic enrollment and device authorization.

  • To update the sign-on policy's MFA action, set the applications parameter values using the following PUT operation:
    PUT https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies/{{policyId}}/actions/{{mfaActionId}}
    {   
        "priority": 1,
        "type": "MULTI_FACTOR_AUTHENTICATION",
        "sms": {
            "enabled": true
        },
        "email": {
            "enabled": true
        },
        "applications": [
        {
          "id": "{{nativeAppId}}",
          "autoEnrollment": {
            "enabled": true,
            "noDevicesMode": "BYPASS"
          },
          "deviceAuthorization": {
            "enabled": true,
            "extraVerification": "permissive"
          }
        }
      ]
    }
    Note:

    If the user has no usable devices, you can configure noDevicesMode as BYPASS or BLOCK. For this configuration to take effect, you must provide a signed login_hint_token.

    For details, see POST: CREATE Sign-On Policy Action (MFA) in the API reference.

    PingOne MFA provides two sample applications for you to quickly get started:

    • Developer sample app:
    • Authenticator sample app:
      • Android authenticator sample app
      • iOS authenticator sample app

        The authenticator sample app is a mobile app that has the sole function of performing strong authentication. This application is a "white label" authenticator app, aimed at organizations that want to easily publish an authenticator app on the applications stores. Its UI and UX are polished for end users as-is, providing the ability to customize colors, icons, and other appearance attributes. All that's required is compilation with branding and credentials, and uploading it to the app store.

    As a quick-start, you can clone the apps from their GitHub locations and follow the instructions in the README files.

    Note:

    To build the apps, you'll need Android Studio or Xcode (iOS).

Configure pushless and TOTP MFA for a mobile application