Use Cases

Getting started with PingID core settings

Learn how to configure and use core PingID settings, including a detailed walkthrough of the advanced options.

This guide covers only the configuration of the core PingID settings. For tasks such as configuring an identity provider, branding, PingID policies, and device pairing settings, see the PingID Administration Guide.

Before you begin

You must:

  • Have a web browser with connectivity to the Internet.

  • Have a PingID instance that needs to be newly configured or that needs a configuration change.

Configuring PingID quick setup

Configure PingID with the most common settings.

About this task

To get your PingID instance up and running quickly:

Steps

  1. In your PingOne environment, click the Overview tab.

  2. From the Services section, click the PingID icon.

  3. Go to Setup → PingID → Configuration.

    If you’re using a trial mode of PingID, you see a notice at the top of the PingID Settings page indicating that your features are limited.

    To upgrade your license, contact sales@pingidentity.com.

  4. In the Admin Message field, enter contact information to aid users experiencing trouble.

    Example:

    For example: For support with PingID, contact helpdesk@mycompany.com.

  5. To give your users time to get acquainted with the addition of multi-factor authentication (MFA), in the Mandatory Enrollment Date section, enter a date 30 days from the current date.

  6. To allow users to self-enroll an MFA device the first time they’re prompted for MFA, in the Self-enrollment During Authentication section, click Enable.

  7. To allow your users to enroll multiple devices, in the Maximum Allowed Devices field, enter a number greater than 1.

  8. To prevent your users from having to select an MFA device every time they authenticate, in the Device Selection section, click Default to Primary.

  9. To allow users to disconnect their mobile device without administrator approval, in the Device Management section, select the Allow users to unpair and change devices using the mobile app check box.

  10. To allow users to manage their devices in the PingID console, in the Device Management section, select the Allow users to manage their devices on the web and Enable device management for users with no paired devices check boxes.

  11. To avoid sending an email to a user every time a new MFA device is added, in the Email Notification for New Devices section, click Disable.

  12. To maintain the 40-second MFA challenge timeout default, in the New Request Duration section, click Default.

  13. To allow users to use a one-time passcode (OTP) on their mobile app if a push notification doesn’t reach their device, in the One-time Passcode Fallback section, click Enable.

  14. To require a mobile device to attempt a push notification before the user can use an OTP, in the Direct Passcode Usage section, click Disable.

  15. To allow the use of a device’s native biometrics for an MFA challenge, in the Device Biometrics section, click Enable.

  16. To enable both iOS and Android devices, in the Enable On section, select the iOS and Android check boxes.

  17. To prevent accidental automatic MFA approvals when FaceID is enabled, in the Face ID Consent section, click Enable.

  18. To require users to unlock their device before approving an MFA challenge, in the Authentication While Device is Locked section, click Disable.

  19. To enable the most common MFA types, in the Alternate Authentication Methods section, select the Enable and Pairing check boxes for SMS, Voice, and Email.

  20. To allow users to provide their own phone numbers and email addresses when enrolling a device, clear the Pre-populate and Restrict check boxes for SMS, Voice, and Email.

  21. To maintain English as the supported language, in the Local Language for Voice Calls section, click Disable.

  22. To prevent abuse of SMS or Voice services, set the Daily Used SMS/Voice Limit field to 15 and the Daily Unused SMS/Voice Limit field to 10.

  23. To use the default PingID SMS and voice provider, in the Twilio Account section, click Ping Identity.

  24. To use English for all SMS messages, in the Local Language for SMS section, click Disable.

  25. To enable the simple use of the Desktop OTP application:

    1. In the Desktop Security PIN section, click Disable.

    2. In the Use Proxy for Desktop section, click Disable.

  26. To enable a simple configuration for security keys:

    1. In the Resident Key section, click Not Required.

    2. In the User Verification section, click Preferred.

  27. To allow enforcement of MFA policies that you define, in the Enforce Policy section, click Enable.

  28. To enforce policies specifically for the PingID Windows login agent, in the Enforce Policy for Windows Login, click Enable.

  29. If you are using a trial version of PingID, to prevent your users from being locked out if your trial expires, in the Evaluation section, click Allow single sign-on without PingID.

PingID advanced setup

Use this topic for a description each of the settings in the PingID configuration and how to use them.

When you are ready to customize your configuration beyond the recommended defaults, use the following tables to determine the settings that best meet your business and technical needs.

Support

Section Description

Admin Message

The end user sees the Admin Message field when a multi-factor authentication (MFA) challenge is issued. The message should provide directions on getting help if the user has trouble signing on.

For example: In the event of difficulty, contact the Helpdesk at helpdesk@mycompany.com.

This field is optional.

Enrollment

Section Description

Mandatory Enrollment Date

The Mandatory Enrollment Date section specifies the last date an end user can choose not to enroll a device in PingID. When users are presented with an MFA challenge for the first time, they are prompted to enroll a device in the PingID service. This option allows existing users a grace period before requiring enrollment in PingID.

  • Until the specified mandatory enrollment date, a Not Now button is shown on the enrollment page, allowing the user to bypass both the enrollment process and the MFA challenge.

  • On and after the mandatory enrollment date, the Not Now button is not shown and the user must enroll a device in the PingID service to authenticate.

Self-Enrollment During Authentication

The Self-Enrollment During Authentication section specifies whether the end user is presented with the built-in PingID enrollment process during the user’s first MFA challenge:

  • Selecting Enable allows users to self-register a device with PingID and is the appropriate choice for most organizations. This is the default value.

  • Selecting Disable results in an error when a user without a registered device is prompted for MFA. Select this option if your organization needs to implement custom business processes as part of the user’s first MFA challenge.

    If Disable is selected, the Admin Message field should direct the user to the custom enrollment process of the organization.

    For example:

    To enroll a device in PingID, visit http://mycompany.com/registerMFA.

Devices

Section Description

Maximum Allowed Devices

The Maximum Allowed Devices setting specifies the maximum number of devices each user can enroll in PingID for MFA challenges. This provides a fallback in the event that a primary device is lost, stolen, or damaged.

It also allows organizations to create policies that require a specific device to be used in different MFA challenges.

Each additional device that a user enrolls increases the attack surface for that user.

Organizations should balance user convenience with security when choosing a value for the Maximum Allowed Devices section. The default value is 5.

Device Selection

The Device Selection option specifies whether a user’s primary device is used as the default for MFA.

This option is shown when Maximum Allowed Devices is greater than 1.

  • If Default to Primary is selected, the primary device is always used unless a PingID policy overrides this setting. If the primary device doesn’t respond to the MFA challenge in time, the user is prompted to select an alternate device if more than one is enrolled. This is the default setting and ensures a smooth, fast MFA experience for end users.

  • If Prompt User to Select is selected, the user is prompted to choose an enrolled device every time they receive an MFA challenge.

    Choosing Prompt User to Select generates additional user activity during MFA challenges.

Device Management

The Device Management section has three options:

  • Allow Users to Unpair and Change Devices Using the Mobile App lets users unpair a mobile device from within the PingID mobile application. It also allows the user to move their PingID enrollment from one mobile device to another. This is the default selection.

    This doesn’t allow users to add new devices, only to move from one mobile device to another.

    If all mobile devices are issued by the organization to its users, it is recommended that this selection be cleared. This prevents users from removing their company-issued mobile device from PingID.

    If individuals are allowed to use personal mobile devices, select Allow Users to Unpair and Change Devices Using the Mobile App.

  • Allow Users to Manage Their Devices on the Web lets users manage their MFA devices in the devices section of the PingOne dock.

  • Enable Device Management for Users with No Paired Devices lets users with no paired devices manage their devices in the Devices section of the PingOne dock.

    If this option is disabled, users must self-enroll during authentication before they can access the Devices section.

    This option requires that you select the Allow Users to Manage Their Devices on the Web check box.

Email Notification For New Devices

The Email Notification for New Devices section specifies whether PingID sends an email notification to the end user when a new MFA device is enrolled for their account:

  • Selecting Disable doesn’t notify the end user when new devices are registered for their account, and they aren’t able to report fraudulent activity. This is the default value.

  • Selecting Enable sends the end user an email when a new MFA device has been registered for their account. The email shows the type of device that was registered and a link to report to the PingID administrator if the action was fraudulent.

Mobile App Authentication

Section Description

New Request Duration

The New Request Duration setting defines the maximum amount of allowed time for an MFA challenge to reach a device before timing out as well as the total amount of time allowed for an MFA response before timeout:

  • If Default is selected, the amount of time for an MFA challenge to reach a device before timing out is 25 seconds, and the total amount of time allowed for an MFA response before timeout is 40 seconds. This means that the user has 15 seconds to respond to a challenge after receiving it.

    Timeouts for the Default value apply to all MFA challenges.

  • If Global is selected, Device Timeout and Total Timeout settings are displayed. For the Global value, values for Device Timeout and Total Timeout apply to all MFA challenges.

This is the recommended choice for most organizations.

  • The Device Timeout setting defines how much time is allowed for an MFA challenge to reach a device before timeout and allows the organization to override the default of 25 seconds.

  • The Total Timeout setting defines how much time is allowed for an MFA challenge response before timeout and allows the organization to override the default of 40 seconds.

    • If Advanced is selected, options for Web single sign-on (SSO), API, SSH, and VPN MFA challenges are presented, allowing the organization to set Device Timeout and Total Timeout for each different type of MFA challenge.

    For the Global or Advanced settings, you must set Total Timeout to at least 15 seconds greater than the Device Timeout value.

One-Time Passcode Fallback

This allows the organization to configure whether the end user can use a one-time passcode (OTP) within the PingID mobile application to complete an MFA challenge if the mobile push notification times out:

  • The Enable value is selected by default, and allows the user to use the OTP on their mobile device if a mobile push notification is not completed before timeout.

    This is useful when a mobile device doesn’t have data connectivity or has poor coverage.

  • The Disable value doesn’t allow the use of an OTP in the event of a mobile push notification timeout. The user can only retry the mobile push and not use an OTP.

Direct Passcode Usage

If One-Time Passcode Fallback is set to Enable, the Direct Passcode Usage option is displayed. Direct Passcode Usage configures whether the end user can use an OTP to complete an MFA challenge before a mobile push notification times out:

  • If Disable is selected, the user can enter an OTP if a mobile push notification times out but not before. This is the default value.

  • If Enable is selected, the user is presented with a Use Code button during a mobile push notification, which allows the user to enter an OTP.

Device Biometrics

The Device Biometrics section determines whether the PingID mobile app can use the native biometric capabilities of the mobile device, such as fingerprint authentication or face recognition:

  • If Disable is selected, the PingID mobile application won’t use the native biometric capabilities of the mobile device, and the end user must always swipe on their mobile device to complete MFA.

  • If Enable is selected, the PingID mobile app can use the mobile device’s native biometric capabilities, such as fingerprint authentication or face recognition, depending on the device’s capabilities.

    When Enable is selected, the Enable On and Face ID Consent sub-settings display:

    • Enable On determines whether device biometrics can be used on Apple devices, Android devices, or both. If neither Apple nor Android is selected, Device Biometrics is set to Disable.

    • Face ID Consent determines whether the user must consent to Face ID before a push notification is approved. If Face ID Consent is disabled, PingID will automatically approve a push notification if the end user is looking at their phone with the PingID app open. If Face ID Consent is enabled, a notification prompts the end user to confirm they wish to authenticate with Face ID. This option prevents end users from automatically approving MFA challenges without being able to review whether the challenge is valid.

  • If Required is selected, the PingID mobile app only accepts the biometric capabilities of the mobile device, as opposed to also presenting the swipe option. Enrolled mobile devices must have biometric capabilities configured for the device. If biometric capabilities are not configured or are disabled for the PingID mobile application, the user receives an error on their mobile device during MFA and cannot complete the MFA challenge.

    When selected, the Notification Actions option displays. Notification Actions determines can complete MFA challenges from mobile notification banners:

    • If Disable is selected for Notification Actions, the user cannot act upon an MFA challenge from a notification banner and is required to unlock the phone and open the PingID application to complete MFA.

    • If Enable is selected for Notification Actions, the user can take action on an MFA challenge from a notification banner. For a full description of the behavior of Apple and Android devices for the Disable and Enable options of Notification Actions, review the Cases Matrix for iPhone iOS 8+ Devices and Cases Matrix for Android 5.0+ Devices tables in Configuring authentication for the PingID mobile app.

Authentication While Device is Locked

The Authentication While Device is Locked section determines whether the PingID mobile application presents the swipe option over the Android lock screen. Enabling this setting streamlines the user experience on Android devices, but also makes it easier for a fraudulent MFA approval. Organizations should weigh the user experience against the weaker security footprint when configuring this setting:

  • If Disable is selected, the user must unlock their Android device before completing MFA.

  • If Enable is selected, the PingID application presents a swipe request over the Android device’s lock screen.

    This setting applies only to versions of Android older than Android Q. As of Android Q, application notifications are no longer allowed over the device’s lock screen.

Alternate Authentication Methods

The following table shows the options for SMS, Voice, Email, YubiKey, Desktop, Security Key, OATH Tokens, and FIDO2 Biometrics.

Option Description

Enable

Selecting the Enable check box of the corresponding item enables the use of that type of device for MFA challenges within PingID.

If the Enable check box is cleared, that device type is not supported for your organization within PingID, and the user is unable to register such a device.

Pairing

Selecting the Pairing check box of the corresponding authentication method allows device pairing for that method. This check box is automatically selected when an authentication method is enabled. Disabling pairing is useful to phase out a specific method of authentication without blocking existing users from authenticating.

When pairing is disabled, devices that are already paired are not affected, and the corresponding method is still available as a backup authentication method.

Pre-Populate

The Pre-Populate check box tells PingID to retrieve a value from an associated identity repository for that authentication type. To use the Pre-Populate setting, you must have an identity repository configured in PingOne or have the appropriate attributes configured within PingOne if you are using the internal PingOne directory.

For more information, see Identity providers and Configuring the phone number attribute in PingOne.

  • For SMS and Voice, the value retrieved is a phone number, while for Email the value is an email address.

  • Pre-population of selected values into PingID occurs at the time the user goes through registration.

  • Pre-population of values does not occur if the user registers using the Windows login adapter, SSH adapter, or VPN adapter.

  • Pre-population of values does not mean that the corresponding devices are registered, only that values for the selected devices are pre-populated for user convenience.

  • The Pre-Populate check box cannot be changed unless the corresponding device type is enabled.

Restrict

The Restrict check box is enabled for any factor which has the Pre-Populate value selected. If Restrict is selected, the user cannot change the pre-populated value for that device.

For example, if Pre-Populate and Restrict are selected for SMS, a phone number is pre-populated from the integrated identity repository, and the user cannot change that phone number.

Backup Authentication

The Backup Authentication check box specifies whether the selected device factor can be used in the event that a user is unable to use a registered device.

The types of devices that an organization enables for alternate authentication methods should be determined by the amount of control an organization wants to have over their user’s MFA devices as well as the impact of that device on the organization’s security footprint:

  • If Backup Authentication is selected for a device factor, a value for that factor is retrieved from the integrated identity repository and is presented to the user as an option for the Forgot Your Device? button during an MFA challenge.

  • You can select the Backup Authentication check box even if the corresponding device type is not enabled as a primary factor.

In this scenario, the device type is not available for registration, but can still be used to assist a user complete an MFA challenge if the user indicates that their registered MFA devices are unavailable.

SMS, email, and voice factors are less secure than other alternate methods, such as the PingID mobile application.
Section Description

Voice

The Local Language for Voice Calls setting allows voice calls, if enabled as a factor, to be performed in a language local to the end user when using web-based SSO. The local language is determined by the language specified in the user’s browser:

  • If set to Disable, voice calls are always in English.

  • If set to Enable, voice calls are in the local language as determined by the web browser. If the browser’s local language isn’t supported, the call will be in English.

    Because Windows login, SSH, and VPN don’t use a browser, voice calls are always in English for those authentication types. For a list of supported languages, see PingOne language support.

SMS/Voice

SMS and voice MFA challenges are performed utilizing Twilio. The Twilio Account section allows the organization to choose whether to use Ping Identity’s Twilio account or to use the organization’s own Twilio account:

  • Selecting Ping Identity configures PingID to use the Ping Identity Twilio account.

    Using the Ping Identity Twilio account incurs per-transaction charges.

  • Selecting Custom configures PingID to use your organization’s Twilio account for SMS and voice MFA challenges:

    • Selecting Custom displays text boxes for Account SID and Auth Token, which the organization must provide from its Twilio account.

    • Organization Numbers are displayed when the Twilio account has been verified by clicking Verify Account.

      One or more of the Organization Numbers must be selected, and PingID uses one of the selected numbers as the originating number for SMS and voice MFA challenges.

    • Fallback to Default Account determines whether PingID falls back to the Ping Identity Twilio account in the event of an error using the organization’s unique account:

      • Selecting Disable configures PingID not to fall back to the Ping Identity Twilio account and will cause SMS and voice MFA challenges to fail in the event of an error with the organization’s unique Twilio account.

      • Selecting Enable configures PingID to use the Ping Identity Twilio account if an error occurs using the organization’s unique Twilio account.

The Daily Used SMS/Voice Limit and Daily Unused SMS/Voice Limit sections specify how many SMS or voice calls a user can receive each day. This prevents abuse of the SMS and voice service.

  • The Daily Used SMS/Voice Limit field specifies the number of SMS or voice authentication requests a user can receive and respond to each day. The default value is 15 for the licensed version of PingID and 5 for the trial version.

  • The Daily Unused SMS/Voice Limit field specifies the number of SMS or voice authentication requests a user can receive and not respond to each day. The default value is 10 for the licensed version of PingID and 5 for the trial version.

For more information, see SMS and voice usage limits.

Desktop

Ping Identity provides a desktop application for Windows and Mac which presents an OTP for use during MFA challenges. This application should not be confused with the PingID integrated Windows login adapter.

The Desktop section is only visible if Desktop has been enabled in the Alternate Authentication Methods section.

To provide an additional layer of protection for the desktop application, the Desktop Security PIN setting determines whether a PIN is required to unlock the desktop application. The PIN for the desktop application is uniquely set by each user:

  • If Disable is selected, no PIN code is required to unlock the application.

  • If 4-Digit is selected, a four-digit PIN is required to unlock the desktop application.

  • If 6-Digit is selected, a six-digit PIN is required to unlock the desktop application.

  • The Use Proxy for Desktop setting allows an organization to configure the desktop application to use an enterprise proxy for internal and internet communication.

    • Selecting Disable configures PingID to support only non-proxied desktop applications.

    • Selecting Enable configures PingID to support proxied desktop applications.

      Organizations should consider the security implications of using a desktop-based application for retrieving OTPs, as having the application on the same desktop on which MFA is initiated might reduce the security value of the MFA challenge.

Security Key

The Security Key section contains two options:

  • Resident Key determines whether a private key will be stored on the authenticator to enable passwordless authentication.

  • User Verification determines whether end users are preferred or required to authenticate using a security key that supports a user verification interaction.

    If Resident Key is set to Required, User Verification is automatically required.

Policy

Setting Description

Enforce Policy

The Enforce Policy setting is a master on-off switch for PingID authentication policies:

  • If Disable is selected, no PingID policies are processed during MFA challenges.

  • If Enable is selected, PingID policies are processed during MFA challenges.

For more information on creating policies or to view the PingID documentation on policies, see Authentication policy.

Enforce Policy for Windows Login

The Enforce Policy for Windows Login setting tells PingID whether to process PingID policies specifically for the Windows login adapter:

  • If Disable is selected, PingID policies are not processed for Windows login MFA challenges.

  • If Enable is selected, PingID policies are processed for Windows login MFA challenges.

Evaluation

If you are running a trial of PingID, the Evaluation section is visible. After you purchase PingID, the Evaluation section is no longer displayed.

Setting Description

Expiration Policy

The Expiration Policy setting determines how PingID behaves when an organization’s PingID trial has expired:

  • The Allow Single Sign-on Without PingID setting configures PingID to automatically approve any MFA challenges without prompting the user. This value effectively sets PingID to pass through all requests without evaluating them.

  • The Decline Single Sign-on Attempts Using PingID configures PingID to automatically deny any MFA challenges. This value prevents users from being able to complete authentication processes where PingID is integrated.