PingOne MFA

The PingOne MFA services provide capabilities for enabling MFA actions in authentication flows, configuring MFA settings and policies, and specifying MFA devices.

For MFA authentication:

The /deviceAuthentications endpoint initiates and completes an MFA action without requiring a call to the PingOne authorize service. It supports actions to select a supported MFA device device type and to validate a one-time passcode (OTP). Refer to MFA Device Authentications.

For MFA policies and settings:

The MFA settings endpoint supports operations to read, update, and reset the PingOne MFA settings associated with a specified environment. Refer to MFA Settings.
The Device authentication policies (identified in the PingOne UI as "MFA Policies") enable you to configure different settings per MFA authentication method, according to your security policies. Refer to Device Authentication Policies.

For MFA device management:

The enable user settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability. refer to Enable Users MFA.
The MFA devices service defines the MFA method or methods associated with a user, such as email, SMS, voice, or other MFA device types for use in an MFA flow. Refer to MFA Devices.
To enable multi-factor authentication (MFA) via push notification on a native device, the user resource must have a native device and an application associated with its user ID. The association is implemented with a pairing key. Refer to MFA Pairing Keys.

These requests require PING_ONE_MFA in the Bill of Materials (BOM) for your environment. To check the BOM for the list of PingOne products associated with your environment, refer to Read One Bill of Materials. If PING_ONE_MFA is not in the BOM, contact your PingOne administrator to check whether your license supports adding this product to your environment.

Authentication methods

PingOne MFA supports the following authentication methods:

Authentication Method Reference (amr) Description

Authentication Method Reference (amr)	Description
`EMAIL`	OTP through email
`MCA`	Multiple-channel authentication, indicating that an out-of-band operation through mobile push, either interactive or "silent"
`MFA`	Multi-factor authentication, indicating some MFA method, as opposed to a Bypass scenario
`OTP`	Time-based one-time passcode using an authenticator application or mobile OTP
`SMS`	OTP through SMS text message
`SWK`	Software-secured key, indicating device authorization using a trusted mobile device
`TEL`	OTP through a phone call
`USER`	User presence test, indicating an interactive push notification approved by the user, as opposed to a non-interactive "silent" push notification

EMAIL

OTP through email

MCA

Multiple-channel authentication, indicating that an out-of-band operation through mobile push, either interactive or "silent"

MFA

Multi-factor authentication, indicating some MFA method, as opposed to a Bypass scenario

OTP

Time-based one-time passcode using an authenticator application or mobile OTP

SMS

OTP through SMS text message

SWK

Software-secured key, indicating device authorization using a trusted mobile device

TEL

OTP through a phone call

USER

User presence test, indicating an interactive push notification approved by the user, as opposed to a non-interactive "silent" push notification

Note The mobile application can pass any string (such as as face, ftp, pin, etc.) as AMR using the approve() method to indicate how the user approved the authorization on a push notification flow. Refer to PingOne MFA SDK for Android.

PingOne Platform APIs

PingOne MFA

Authentication methods

Use Cases