Use this topic for a description each of the settings in the PingID configuration and how to use them.
When you are ready to customize your configuration beyond the recommended defaults, use the following tables to determine the settings that best meet your business and technical needs.
Support
Section | Description |
---|---|
Admin Message |
The end user sees the Admin Message field when a multi-factor authentication (MFA) challenge is issued. The message should provide directions on getting help if the user has trouble signing on. For example: In the event of difficulty, contact the Helpdesk at helpdesk@mycompany.com. This field is optional. |
Enrollment
Section | Description |
---|---|
Mandatory Enrollment Date |
The Mandatory Enrollment Date section specifies the last date an end user can choose not to enroll a device in PingID. When users are presented with an MFA challenge for the first time, they are prompted to enroll a device in the PingID service. This option allows existing users a grace period before requiring enrollment in PingID. Note:
|
Self-Enrollment During Authentication |
The Self-Enrollment During Authentication section specifies whether the end user is presented with the built-in PingID enrollment process during the user's first MFA challenge:
|
Devices
Section | Description |
---|---|
Maximum Allowed Devices |
The Maximum Allowed Devices setting specifies the maximum number of devices each user can enroll in PingID for MFA challenges. This provides a fallback in the event that a primary device is lost, stolen, or damaged. It also allows organizations to create policies that require a specific device to be used in different MFA challenges. Note:
Each additional device that a user enrolls increases the attack surface for that user. Organizations should balance user convenience with security when choosing a value for the
Maximum Allowed Devices section. The
default value is |
Device Selection |
The Device Selection option specifies whether a user’s primary device is used as the default for MFA. This option is shown when Maximum Allowed Devices is greater than 1.
|
Device Management |
The Device Management section has three options:
|
Email Notification For New Devices |
The Email Notification for New Devices section specifies whether PingID sends an email notification to the end user when a new MFA device is enrolled for their account:
|
Mobile App Authentication
Section | Description |
---|---|
New Request Duration |
The New Request Duration setting defines the maximum amount of allowed time for an MFA challenge to reach a device before timing out as well as the total amount of time allowed for an MFA response before timeout:
Note:
For the Global or Advanced settings, you must set Total Timeout to at least 15 seconds greater than the Device Timeout value. |
One-Time Passcode Fallback |
This allows the organization to configure whether the end user can use a one-time passcode (OTP) within the PingID mobile application to complete an MFA challenge if the mobile push notification times out:
|
Direct Passcode Usage |
If One-Time Passcode Fallback is set to Enable, the Direct Passcode Usage option is displayed. Direct Passcode Usage configures whether the end user can use an OTP to complete an MFA challenge before a mobile push notification times out:
|
Device Biometrics |
The Device Biometrics section determines whether the PingID mobile app can use the native biometric capabilities of the mobile device, such as fingerprint authentication or face recognition:
|
Authentication While Device is Locked |
The Authentication While Device is Locked section determines whether the PingID mobile application presents the swipe option over the Android lock screen. Enabling this setting streamlines the user experience on Android devices, but also makes it easier for a fraudulent MFA approval. Organizations should weigh the user experience against the weaker security footprint when configuring this setting:
Note:
This setting applies only to versions of Android older than Android Q. As of Android Q, application notifications are no longer allowed over the device's lock screen. |
Alternate Authentication Methods
The following table shows the options for SMS, Voice, Email, YubiKey, Desktop, Security Key, OATH Tokens, and FIDO2 Biometrics.
Option | Description |
---|---|
Enable |
Selecting the Enable check box of the corresponding item enables the use of that type of device for MFA challenges within PingID. Note:
If the Enable check box is cleared, that device type is not supported for your organization within PingID, and the user is unable to register such a device. |
Pairing |
Selecting the Pairing check box of the corresponding authentication method allows device pairing for that method. This check box is automatically selected when an authentication method is enabled. Disabling pairing is useful to phase out a specific method of authentication without blocking existing users from authenticating. Note:
When pairing is disabled, devices that are already paired are not affected, and the corresponding method is still available as a backup authentication method. |
Pre-Populate |
The Pre-Populate check box tells PingID to retrieve a value from an associated identity repository for that authentication type. To use the Pre-Populate setting, you must have an identity repository configured in PingOne or have the appropriate attributes configured within PingOne if you are using the internal PingOne directory. For more information, see Identity providers and Configuring the phone number attribute in PingOne. Note:
|
Restrict |
The Restrict check box is enabled for any factor which has the Pre-Populate value selected. If Restrict is selected, the user cannot change the pre-populated value for that device. For example, if Pre-Populate and Restrict are selected for SMS, a phone number is pre-populated from the integrated identity repository, and the user cannot change that phone number. |
Backup Authentication |
The Backup Authentication check box specifies whether the selected device factor can be used in the event that a user is unable to use a registered device. The types of devices that an organization enables for alternate authentication methods should be determined by the amount of control an organization wants to have over their user's MFA devices as well as the impact of that device on the organization's security footprint:
Note:
SMS, email, and voice factors are less secure than other alternate methods, such as the PingID mobile application. |
Section | Description |
---|---|
Voice |
The Local Language for Voice Calls setting allows voice calls, if enabled as a factor, to be performed in a language local to the end user when using web-based SSO. The local language is determined by the language specified in the user's browser:
Note:
Because Windows login, SSH, and VPN don't use a browser, voice calls are always in English for those authentication types. For a list of supported languages, see PingOne language support. |
SMS/Voice |
SMS and voice MFA challenges are performed utilizing Twilio. The Twilio Account section allows the organization to choose whether to use Ping Identity's Twilio account or to use the organization's own Twilio account:
The Daily Used SMS/Voice Limit and Daily Unused SMS/Voice Limit sections specify how many SMS or voice calls a user can receive each day. This prevents abuse of the SMS and voice service.
For more information, see SMS and voice usage limits. |
Desktop |
Ping Identity provides a desktop application for Windows and Mac which presents an OTP for use during MFA challenges. This application should not be confused with the PingID integrated Windows login adapter. The Desktop section is only visible if Desktop has been enabled in the Alternate Authentication Methods section. To provide an additional layer of protection for the desktop application, the Desktop Security PIN setting determines whether a PIN is required to unlock the desktop application. The PIN for the desktop application is uniquely set by each user:
Note:
Organizations should consider the security implications of using a desktop-based application for retrieving OTPs, as having the application on the same desktop on which MFA is initiated might reduce the security value of the MFA challenge. |
Security Key |
The Security Key section contains two options:
|
Policy
Setting | Description |
---|---|
Enforce Policy |
The Enforce Policy setting is a master on-off switch for PingID authentication policies:
For more information on creating policies or to view the PingID documentation on policies, see Authentication policy. |
Enforce Policy for Windows Login |
The Enforce Policy for Windows Login setting tells PingID whether to process PingID policies specifically for the Windows login adapter:
|
Evaluation
If you are running a trial of PingID, the Evaluation section is visible. After you purchase PingID, the Evaluation section is no longer displayed.
Setting | Description |
---|---|
Expiration Policy |
The Expiration Policy setting determines how PingID behaves when an organization's PingID trial has expired:
|