--- title: PingOne MFA description: The PingOne MFA services provide capabilities for enabling MFA actions in authentication flows, configuring MFA settings and policies, and specifying MFA devices. component: pingone-api page_id: pingone-api:mfa:introduction canonical_url: https://developer.pingidentity.com/pingone-api/mfa/introduction.html page_aliases: ["index.adoc"] section_ids: authentication-methods: Authentication methods --- # PingOne MFA The PingOne MFA services provide capabilities for enabling MFA actions in authentication flows, configuring MFA settings and policies, and specifying MFA devices. For MFA authentication: * The /deviceAuthentications endpoint initiates and completes an MFA action without requiring a call to the PingOne authorize service. It supports actions to select a supported MFA device device type and to validate a one-time passcode (OTP). Refer to [MFA Device Authentications](#mfa-device-authentications). For MFA policies and settings: * The MFA settings endpoint supports operations to read, update, and reset the PingOne MFA settings associated with a specified environment. Refer to [MFA Settings](#mfa-settings). * The Device authentication policies (identified in the PingOne UI as "MFA Policies") enable you to configure different settings per MFA authentication method, according to your security policies. Refer to [Device Authentication Policies](#device-authentication-policies). For MFA device management: * The enable user settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability. refer to [Enable Users MFA](#enable-users-mfa). * The MFA devices service defines the MFA method or methods associated with a user, such as email, SMS, voice, or other MFA device types for use in an MFA flow. Refer to [MFA Devices](#mfa-devices). * To enable multi-factor authentication (MFA) via push notification on a native device, the user resource must have a native device and an application associated with its user ID. The association is implemented with a pairing key. Refer to [MFA Pairing Keys](#mfa-pairing-keys). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These requests require `PING_ONE_MFA` in the Bill of Materials (BOM) for your environment. To check the BOM for the list of PingOne products associated with your environment, refer to [Read One Bill of Materials](/pingone/platform/v1/api/#get-read-one-bill-of-materials). If `PING_ONE_MFA` is not in the BOM, contact your PingOne administrator to check whether your license supports adding this product to your environment. | ## Authentication methods PingOne MFA supports the following authentication methods: | Authentication Method Reference (amr) | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `EMAIL` | OTP through email | | `MCA` | Multiple-channel authentication, indicating that an out-of-band operation through mobile push, either interactive or "silent" | | `MFA` | Multi-factor authentication, indicating some MFA method, as opposed to a Bypass scenario | | `OTP` | Time-based one-time passcode using an authenticator application or mobile OTP | | `SMS` | OTP through SMS text message | | `SWK` | Software-secured key, indicating device authorization using a trusted mobile device | | `TEL` | OTP through a phone call | | `USER` | User presence test, indicating an interactive push notification approved by the user, as opposed to a non-interactive "silent" push notification | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | **Note** The mobile application can pass any string (such as as `face`, `ftp`, `pin`, etc.) as AMR using the `approve()` method to indicate how the user approved the authorization on a push notification flow. Refer to [PingOne MFA SDK for Android](/pingonenative-sdks/v1/#pingone-mfa-sdk-for-android). |