---
title: Authentication flow states
description: An application's sign-on policy determines the flow states and the corresponding actions required to complete an authentication workflow. When the authentication workflow begins, the flow gets the list of sign-on policies assigned to the application and evaluates the policy conditions that must be met to complete sign on. The sign-on policy evaluation logic is shown in the diagram below:
component: pingone-api
page_id: pingone-api:foundations:authentication-concepts/pingone-authentication-flow-states
canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/pingone-authentication-flow-states.html
section_ids:
  common-authentication-actions: Common authentication actions
---

# Authentication flow states

An application's sign-on policy determines the flow states and the corresponding actions required to complete an authentication workflow. When the authentication workflow begins, the flow gets the list of sign-on policies assigned to the application and evaluates the policy conditions that must be met to complete sign on. The sign-on policy evaluation logic is shown in the diagram below:

![Sign-on policy evaluation logic](../../_images/p1_PolicyLogic.svg)

For more information about sign-on policies, refer to [Sign-on policies](../../platform/sign-on-policies.html), [Sign-on policy actions](../../platform/sign-on-policies/sign-on-policy-actions.html), and [Application sign-on policy assignments](../../platform/applications/application-sign-on-policy-assignments.html) in the *PingOne Platform APIs*.

## Common authentication actions

The PingOne flow API supports single-factor and multi-factor actions to complete an authentication workflow. For a single-factor login flow, there are four branches that allow the user to submit a username and password (or create a new account). PingOne also supports an identity first discovery action that identifies the user and determines the user's applicable identity provider and authentication methods. For a multi-factor authentication action, there are two branches in which either a one-time password (OTP) or a push confirmation is used as the second factor in the authentication workflow.

PingOne supports a progressive profiling action that prompts users to provide additional data at sign on. This action type does not authenticate users. It is used only to obtain additional profile data.

* [Login action](pingone-authentication-flow-states/login-action.html)

  * Sign on with username and password

  * Forgot password

  * Register user

  * Sign on with identity provider

* [Identifier first action](pingone-authentication-flow-states/identifier-first-action.html)

* [Multi-factor (MFA) action](pingone-authentication-flow-states/multi-factor-mfa-action.html)

  * Push authentication

* [Progressive profiling action](pingone-authentication-flow-states/progressive-profiling-action.html)

|   |                                                                                                                                               |
| - | --------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information about flow states and their associated sign-on actions, refer to [Flows](../../auth/flows.html) in *Platform Auth APIs*. |