A multi-factor authentication (MFA) policy requires two pieces of evidence to verify a user's identity, such as a user name and password as well as a one-time passcode sent over SMS, voice or email, or a push notification to the user's mobile device. You can also use multi-factor authentication to set up passwordless authentication. See Setting up passwordless authentication.
- Go to Authentication > Authentication.
- Click + Add Policy to create a new policy, or click the pencil icon to edit an existing one.
- Click + Add Step.
- From the Step Type list, select Multi-Factor Authentication.
- From the MFA Policy list, select an MFA policy that has been defined for the environment. For more information on defining MFA policies, see MFA policies.
-
None or incompatible methods:
For MFA scenarios in which users attempt to sign on, but do not have any enrolled MFA devices that comply with the permitted Available Methods, choose the flow:
- Block: Do not permit these users to sign on, because they don't have a usable device for MFA.
- Bypass: Allow users without a usable MFA device to
bypass the MFA flow.
To leverage the Bypass option, the user must already be authenticated, either by a password (login step), or by supplying a signed
login_hint_tokenin the request object. Seelogin_hint_tokenin the GET Authorize (Browserless and MFA Only Flows) operation in the PingOne Platform API Reference.
-
Enter or edit the requirement conditions. If one or more of the following conditions
are met, the user will be prompted to use a two-step authentication method.
- Last sign-on older than. Requires users to sign in if their previous login is older than the configured value.
- Accessing from IP out of range. Requires users to sign in if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range.
- Being a member of any of these populations. Requires users to sign in if the user belongs to the specified population or populations.
- User attributes. Requires users to sign in if they
match a specified user attribute, such as postal code or user ID. For example,
Postal Code = 78750. Select the check box, then click + Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR). - IP reputation is high risk. PingOne collects and analyzes IP
address data of authentication requests from the user's accessing device. An IP
address is considered high risk if it may have recently been involved in
malicious activities, such as DDoS attacks or spam activity. Select the
checkbox to require MFA when authentication requests come from IP addresses
with high risk scores. Note:
The IP reputation option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.
- A geovelocity anomaly is detected. PingOne analyzes location data
from the user's accessing device. It determines whether travel time between a
user’s current login location and their previous login location is possible in
the time frame that has elapsed since the previous login. Select the checkbox
to require MFA when a geovelocity anomaly is detected. Note:
The Geovelocity anomaly option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.
- Anonymous network detection. PingOne collects and analyzes IP
address data of authentication requests from the user's accessing device.
Select the checkbox to require MFA when PingOne identifies an IP address
as originating from an anonymous network such as an unknown VPN, proxy, or an
anonymous communication tool such as Tor. Exclude IP addresses in the
Whitelist by entering them in CIDR notation in a
comma-separated list. Note:
The Anonymous network detection option is a feature that is available only with a PingOne Protect or PingOne for Customers Passwordless license.
- Click Save.