PingID advanced setup - PingID

Admin Message

The end user sees the Admin Message field when a multi-factor authentication (MFA) challenge is issued. The message should provide directions on getting help if the user has trouble signing on.

For example: In the event of difficulty, contact the Helpdesk at helpdesk@mycompany.com.

This field is optional.

Mandatory Enrollment Date

The Mandatory Enrollment Date section specifies the last date an end user can choose not to enroll a device in PingID. When users are presented with an MFA challenge for the first time, they are prompted to enroll a device in the PingID service. This option allows existing users a grace period before requiring enrollment in PingID.

Self-Enrollment During Authentication

The Self-Enrollment During Authentication section specifies whether the end user is presented with the built-in PingID enrollment process during the user's first MFA challenge:

• Selecting Enable allows users to self-register a device with PingID and is the appropriate choice for most organizations. This is the default value.
• Selecting Disable results in an error when a user without a registered device is prompted for MFA. Select this option if your organization needs to implement custom business processes as part of the user's first MFA challenge.
  Note:

  If Disable is selected, the Admin Message field should direct the user to the custom enrollment process of the organization.

  For example: To enroll a device in PingID, visit http://mycompany.com/registerMFA.

Maximum Allowed Devices

The Maximum Allowed Devices setting specifies the maximum number of devices each user can enroll in PingID for MFA challenges. This provides a fallback in the event that a primary device is lost, stolen, or damaged.

It also allows organizations to create policies that require a specific device to be used in different MFA challenges.

Organizations should balance user convenience with security when choosing a value for the Maximum Allowed Devices section. The default value is 5.

Device Selection

The Device Selection option specifies whether a user’s primary device is used as the default for MFA.

This option is shown when Maximum Allowed Devices is greater than 1.

• If Default to Primary is selected, the primary device is always used unless a PingID policy overrides this setting. If the primary device doesn't respond to the MFA challenge in time, the user is prompted to select an alternate device if more than one is enrolled. This is the default setting and ensures a smooth, fast MFA experience for end users.
• If Prompt User to Select is selected, the user is prompted to choose an enrolled device every time they receive an MFA challenge.
  Note:

  Choosing Prompt User to Select generates additional user activity during MFA challenges.

Device Management

The Device Management section has three options:

• Allow Users to Unpair and Change Devices Using the Mobile App lets users unpair a mobile device from within the PingID mobile application. It also allows the user to move their PingID enrollment from one mobile device to another. This is the default selection.
  Note:

  This doesn't allow users to add new devices, only to move from one mobile device to another.

  If all mobile devices are issued by the organization to its users, it is recommended that this selection be cleared. This prevents users from removing their company-issued mobile device from PingID.

  If individuals are allowed to use personal mobile devices, select Allow Users to Unpair and Change Devices Using the Mobile App.

• Allow Users to Manage Their Devices on the Web lets users manage their MFA devices in the devices section of the PingOne dock.
• Enable Device Management for Users with No Paired Devices lets users with no paired devices manage their devices in the Devices section of the PingOne dock.

  If this option is disabled, users must self-enroll during authentication before they can access the Devices section.

  Note:

  This option requires that you select the Allow Users to Manage Their Devices on the Web check box.

Email Notification For New Devices

The Email Notification for New Devices section specifies whether PingID sends an email notification to the end user when a new MFA device is enrolled for their account:

• Selecting Disable doesn't notify the end user when new devices are registered for their account, and they aren't able to report fraudulent activity. This is the default value.
• Selecting Enable sends the end user an email when a new MFA device has been registered for their account. The email shows the type of device that was registered and a link to report to the PingID administrator if the action was fraudulent.

New Request Duration

The New Request Duration setting defines the maximum amount of allowed time for an MFA challenge to reach a device before timing out as well as the total amount of time allowed for an MFA response before timeout:

• If Default is selected, the amount of time for an MFA challenge to reach a device before timing out is 25 seconds, and the total amount of time allowed for an MFA response before timeout is 40 seconds. This means that the user has 15 seconds to respond to a challenge after receiving it.

  Note:

  Timeouts for the Default value apply to all MFA challenges.

• If Global is selected, Device Timeout and Total Timeout settings are displayed. For the Global value, values for Device Timeout and Total Timeout apply to all MFA challenges.

  This is the recommended choice for most organizations.

  • The Device Timeout setting defines how much time is allowed for an MFA challenge to reach a device before timeout and allows the organization to override the default of 25 seconds.
  • The Total Timeout setting defines how much time is allowed for an MFA challenge response before timeout and allows the organization to override the default of 40 seconds.
• If Advanced is selected, options for Web single sign-on (SSO), API, SSH, and VPN MFA challenges are presented, allowing the organization to set Device Timeout and Total Timeout for each different type of MFA challenge.

One-Time Passcode Fallback

This allows the organization to configure whether the end user can use a one-time passcode (OTP) within the PingID mobile application to complete an MFA challenge if the mobile push notification times out:

• The Enable value is selected by default, and allows the user to use the OTP on their mobile device if a mobile push notification is not completed before timeout.
  Tip:

  This is useful when a mobile device doesn't have data connectivity or has poor coverage.

• The Disable value doesn't allow the use of an OTP in the event of a mobile push notification timeout. The user can only retry the mobile push and not use an OTP.

Direct Passcode Usage

If One-Time Passcode Fallback is set to Enable, the Direct Passcode Usage option is displayed. Direct Passcode Usage configures whether the end user can use an OTP to complete an MFA challenge before a mobile push notification times out:

• If Disable is selected, the user can enter an OTP if a mobile push notification times out but not before. This is the default value.
• If Enable is selected, the user is presented with a Use Code button during a mobile push notification, which allows the user to enter an OTP.

Device Biometrics

The Device Biometrics section determines whether the PingID mobile app can use the native biometric capabilities of the mobile device, such as fingerprint authentication or face recognition:

• If Disable is selected, the PingID mobile application won't use the native biometric capabilities of the mobile device, and the end user must always swipe on their mobile device to complete MFA.

• If Enable is selected, the PingID mobile app can use the mobile device's native biometric capabilities, such as fingerprint authentication or face recognition, depending on the device's capabilities.

  When Enable is selected, the Enable On and Face ID Consent sub-settings display:

  • Enable On determines whether device biometrics can be used on Apple devices, Android devices, or both. If neither Apple nor Android is selected, Device Biometrics is set to Disable.
  • Face ID Consent determines whether the user must consent to Face ID before a push notification is approved. If Face ID Consent is disabled, PingID will automatically approve a push notification if the end user is looking at their phone with the PingID app open. If Face ID Consent is enabled, a notification prompts the end user to confirm they wish to authenticate with Face ID. This option prevents end users from automatically approving MFA challenges without being able to review whether the challenge is valid.
• If Required is selected, the PingID mobile app only accepts the biometric capabilities of the mobile device, as opposed to also presenting the swipe option. Enrolled mobile devices must have biometric capabilities configured for the device. If biometric capabilities are not configured or are disabled for the PingID mobile application, the user receives an error on their mobile device during MFA and cannot complete the MFA challenge.

  When selected, the Notification Actions option displays. Notification Actions determines can complete MFA challenges from mobile notification banners:

  • If Disable is selected for Notification Actions, the user cannot act upon an MFA challenge from a notification banner and is required to unlock the phone and open the PingID application to complete MFA.
  • If Enable is selected for Notification Actions, the user can take action on an MFA challenge from a notification banner. For a full description of the behavior of Apple and Android devices for the Disable and Enable options of Notification Actions, review the Cases Matrix for iPhone iOS 8+ Devices and Cases Matrix for Android 5.0+ Devices tables in Configuring authentication for the PingID mobile app.

Authentication While Device is Locked

The Authentication While Device is Locked section determines whether the PingID mobile application presents the swipe option over the Android lock screen. Enabling this setting streamlines the user experience on Android devices, but also makes it easier for a fraudulent MFA approval. Organizations should weigh the user experience against the weaker security footprint when configuring this setting:

• If Disable is selected, the user must unlock their Android device before completing MFA.
• If Enable is selected, the PingID application presents a swipe request over the Android device's lock screen.

Enable

Selecting the Enable check box of the corresponding item enables the use of that type of device for MFA challenges within PingID.

Pairing

Selecting the Pairing check box of the corresponding authentication method allows device pairing for that method. This check box is automatically selected when an authentication method is enabled. Disabling pairing is useful to phase out a specific method of authentication without blocking existing users from authenticating.

Pre-Populate

The Pre-Populate check box tells PingID to retrieve a value from an associated identity repository for that authentication type. To use the Pre-Populate setting, you must have an identity repository configured in PingOne or have the appropriate attributes configured within PingOne if you are using the internal PingOne directory.

For more information, see Identity providers and Configuring the phone number attribute in PingOne.

Restrict

The Restrict check box is enabled for any factor which has the Pre-Populate value selected. If Restrict is selected, the user cannot change the pre-populated value for that device.

For example, if Pre-Populate and Restrict are selected for SMS, a phone number is pre-populated from the integrated identity repository, and the user cannot change that phone number.

Backup Authentication

The Backup Authentication check box specifies whether the selected device factor can be used in the event that a user is unable to use a registered device.

The types of devices that an organization enables for alternate authentication methods should be determined by the amount of control an organization wants to have over their user's MFA devices as well as the impact of that device on the organization's security footprint:

• If Backup Authentication is selected for a device factor, a value for that factor is retrieved from the integrated identity repository and is presented to the user as an option for the Forgot Your Device? button during an MFA challenge.
• You can select the Backup Authentication check box even if the corresponding device type is not enabled as a primary factor.

  In this scenario, the device type is not available for registration, but can still be used to assist a user complete an MFA challenge if the user indicates that their registered MFA devices are unavailable.

Voice

The Local Language for Voice Calls setting allows voice calls, if enabled as a factor, to be performed in a language local to the end user when using web-based SSO. The local language is determined by the language specified in the user's browser:

• If set to Disable, voice calls are always in English.
• If set to Enable, voice calls are in the local language as determined by the web browser. If the browser's local language isn't supported, the call will be in English.

SMS/Voice

SMS and voice MFA challenges are performed utilizing Twilio. The Twilio Account section allows the organization to choose whether to use Ping Identity's Twilio account or to use the organization's own Twilio account:

• Selecting Ping Identity configures PingID to use the Ping Identity Twilio account.
  Note:

  Using the Ping Identity Twilio account incurs per-transaction charges.

• Selecting Custom configures PingID to use your organization’s Twilio account for SMS and voice MFA challenges:
  • Selecting Custom displays text boxes for Account SID and Auth Token, which the organization must provide from its Twilio account.
  • Organization Numbers are displayed when the Twilio account has been verified by clicking Verify Account.
    Note:

    One or more of the Organization Numbers must be selected, and PingID uses one of the selected numbers as the originating number for SMS and voice MFA challenges.

  • Fallback to Default Account determines whether PingID falls back to the Ping Identity Twilio account in the event of an error using the organization's unique account:

    • Selecting Disable configures PingID not to fall back to the Ping Identity Twilio account and will cause SMS and voice MFA challenges to fail in the event of an error with the organization's unique Twilio account.
    • Selecting Enable configures PingID to use the Ping Identity Twilio account if an error occurs using the organization's unique Twilio account.

The Daily Used SMS/Voice Limit and Daily Unused SMS/Voice Limit sections specify how many SMS or voice calls a user can receive each day. This prevents abuse of the SMS and voice service.

• The Daily Used SMS/Voice Limit field specifies the number of SMS or voice authentication requests a user can receive and respond to each day. The default value is 15 for the licensed version of PingID and 5 for the trial version.
• The Daily Unused SMS/Voice Limit field specifies the number of SMS or voice authentication requests a user can receive and not respond to each day. The default value is 10 for the licensed version of PingID and 5 for the trial version.

For more information, see SMS and voice usage limits.

Desktop

Ping Identity provides a desktop application for Windows and Mac which presents an OTP for use during MFA challenges. This application should not be confused with the PingID integrated Windows login adapter.

The Desktop section is only visible if Desktop has been enabled in the Alternate Authentication Methods section.

To provide an additional layer of protection for the desktop application, the Desktop Security PIN setting determines whether a PIN is required to unlock the desktop application. The PIN for the desktop application is uniquely set by each user:

• If Disable is selected, no PIN code is required to unlock the application.
• If 4-Digit is selected, a four-digit PIN is required to unlock the desktop application.
• If 6-Digit is selected, a six-digit PIN is required to unlock the desktop application.
• The Use Proxy for Desktop setting allows an organization to configure the desktop application to use an enterprise proxy for internal and internet communication.
  • Selecting Disable configures PingID to support only non-proxied desktop applications.
  • Selecting Enable configures PingID to support proxied desktop applications.

Security Key

The Security Key section contains two options:

• Resident Key determines whether a private key will be stored on the authenticator to enable passwordless authentication.
• User Verification determines whether end users are preferred or required to authenticate using a security key that supports a user verification interaction.
  Note:

  If Resident Key is set to Required, User Verification is automatically required.

Enforce Policy

The Enforce Policy setting is a master on-off switch for PingID authentication policies:

• If Disable is selected, no PingID policies are processed during MFA challenges.
• If Enable is selected, PingID policies are processed during MFA challenges.

For more information on creating policies or to view the PingID documentation on policies, see Authentication policy.

Enforce Policy for Windows Login

The Enforce Policy for Windows Login setting tells PingID whether to process PingID policies specifically for the Windows login adapter:

• If Disable is selected, PingID policies are not processed for Windows login MFA challenges.
• If Enable is selected, PingID policies are processed for Windows login MFA challenges.

Expiration Policy

The Expiration Policy setting determines how PingID behaves when an organization's PingID trial has expired:

• The Allow Single Sign-on Without PingID setting configures PingID to automatically approve any MFA challenges without prompting the user. This value effectively sets PingID to pass through all requests without evaluating them.
• The Decline Single Sign-on Attempts Using PingID configures PingID to automatically deny any MFA challenges. This value prevents users from being able to complete authentication processes where PingID is integrated.