Some organizations may have customers who do not have a smart mobile device, or prefer not to download mobile apps on their mobile devices. PingID SDK supports the alternative usage of one time passcodes (OTPs) sent to users via email messages.
PingID SDK supports the following:
- Pairing a user’s first device and additional devices using an OTP received by email.
- Authentication using email OTP.
- Device management for paired email addresses, including functionality for email unpair, bypass, rename and transition between the primary and secondary device roles.
- Optionally use your organization’s own SMTP server for email notifications. See Trusted email domains and Trusted email addresses.
Several factors should be considered:
- In contrast to a mobile device, an email address may be considered a virtual device, since the address, rather than a physical device, is paired with a user and application. For example, an address used for email authentication may be accessible on multiple physical devices, without affecting its paired PingID SDK status.
- The email authentication method must be enabled in the PingID SDK configuration, to allow both pairing and authentication via email. By default, email support is disabled in the PingID SDK configuration.
- If the email configuration is enabled and there are users with paired email addresses, those addresses will be unpaired if the email configuration is disabled. If the email configuration is enabled again, it will not automatically pair those email addresses, and they will remain unpaired.
- Content without an MFA context could be misused or mishandled in a way that could make the user vulnerable to an OTP highjack.
- Adding links to an email should be avoided, to reduce the possibility of an attacker issuing a similar message in a phishing attack.
Pairing a user’s device using OTP
An email address can be paired as a user’s primary device, or as an additional device. If the user has no primary device, the email address is paired as the user’s primary device, otherwise, it is paired as a secondary device.
- It is possible to name the device during the pairing process or from the self service page, depending of customer implementation.
- If the device was not named, the PingID SDK server allocates the default name “Email #”, where the first email address is “Email 1”, the second is “Email 2” and so forth, according to the number of email addresses paired by the user.
- The pairing message content is provided by the organization. It is possible to send a pairing message in any language.
- The pairing process fails at any stage of the flow if:
- The application is disabled.
- The user is suspended.
- The email authentication method is disabled for the application.
- The user has reached the maximum number allowed devices
- Email configuration is not specified or invalid. Refer to Offline devices (email) pairing API for more details.
- In order to avoid cases of race conditions and confusion in cases of pairing processes which are pending, a new pairing process only invalidates unfinished pairing processes of the same authentication method for this user in this application. For example, initializing a new mobile pairing process invalidates pending mobile pairing processes for this user in this application, but not pending pairing processes for other device types such as SMS or email.
Manual OTP pairing
The manual OTP pairing process comprises 2 steps:
- The user receives a message (for example, an email or SMS) with a one time passcode (OTP).
- The user, in turn, has to use the OTP in order to finalize the pairing process. If the user enters an invalid OTP 3 times in succession, the pairing process fails.