Purpose

The CIAM Plus - MFA Device Management - Main Flow presents users with their current multi-factor authentication (MFA) devices. It then presents the options for users to add new devices, change the name or status of existing devices, or remove an existing device.

Structure

This flow is divided into sections using teleport nodes:

Check for valid session and Enable MFA
Uses function nodes to set variables, then uses a PingOne node to check for a valid session.
  • If a session exists, a hidden HTML node invokes the skpolling component.

  • If no session exists, a PingOne node deletes any existing session token, then the CIAM Plus - SignOn - Subflow is invoked. When the flow completes, a PingOne node creates or updates the session.

A function node retrieves the user ID, then a PingOne node retrieves the user details. The flow then progresses to the MFA Authentication section.

When the previous section completes, an HTML node presents the user with the option to enable MFA. If the user proceeds, PingOne nodes enable MFA and read all enabled devices for the user. The flow progresses to the Verifying and auto enrolling the email section if the user has zero devices, and to the Display User Devices section if the user has more than zero devices.

MFA Authentication
Uses a PingOne node to retrieve the user's devices, then uses a hidden HTML node to check for WebAuthn compatibility. Function nodes verify that the user has at least one active device, then a PingOne node enables MFA for the user. The CIAM Plus - Device Authentication - Subflow is invoked, then the flow returns to the Check for valid session and Enable MFA section.
Verifying and auto enrolling the email
Uses a PingOne node to send a verification code, then presents an HTML page on which the user can enter the verification code. If the user submits a code, PingOne nodes validate the code, register email as an MFA device, and send a device registration email. The flow then progresses to the Display User Devices section.
Display User Devices
Uses a PingOne node to retrieve the user's known devices. If the user can add devices, a custom HTML template presents the user with device options. If the user selects Add, the flow progresses to the Add Device section. If the user selects Done or Cancel, the flow progresses to the Return Success section. If the user selects an existing device, the flow progresses to the Update Device section.
Add Device
Uses a PingOne node to retrieve user information, then invokes the CIAM Plus - Device Registration - Subflow flow. It then progresses to the Display User Devices section if the addition was successful or canceled.
Update Device
Presents users with a custom HTML page showing options for a currently selected device. The Save and Default options trigger PingOne to save a new device name or set the current device as default. The Remove option triggers an HTML node that asks the user to confirm the deletion. If the user confirms the deletion, a PingOne node removes the current device, then the flow progresses to the Display User Devices section. If the user cancels, the flow progresses to the Display User Devices section.
Return Success
Sends a JSON success message.
Return Error
Displays an error message, then sends a JSON error response.

Input schema

This flow has no inputs.

Output schema

This flow has the following outputs.

Output Name Description

ciam_errorMessage

The error message to display in the parent flow.

ciam_errorCode

The error code to display in the parent flow.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

ciam_logoStyle

None

The HTML style to use for your company logo.

ciam_logoUrl

None

The URL for your company logo.

ciam_companyName

None

Displays the name of your company.

flowMethod

None

The method used to launch the flow, such as widget.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_passwordlessRequired

None

A boolean indicating whether passwordless login is required in the environment.

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_accountRecoveryEnabled

None

A boolean indicating whether account recovery is enabled in the environment.