Considerations for SMS pairing and authentication

Some organizations may have customers who do not have a smart mobile device, or prefer not to download mobile apps on their mobile devices. PingID SDK supports the alternative usage of one time passcodes (OTPs) via text messages (SMS).

PingID SDK supports the following:

  • Pairing a user’s first device and additional devices using SMS.
  • Authentication using SMS OTP.
  • Device management for SMS paired devices, including functionality for device unpair, bypass, rename and transition between the primary and secondary device roles.

Several factors should be considered:

  • In contrast to a mobile device, an SMS device may be considered a virtual device, since the phone number, rather than a physical device, is paired with a user and application. For example, a phone number used for SMS authentication may be ported from one mobile device to another, without affecting its paired PingID SDK status.
  • The SMS authentication method must be enabled in the PingID SDK configuration, to allow both pairing and authentication via SMS. By default, SMS support is disabled in the PingID SDK configuration.
  • If the SMS configuration is enabled and there are users with paired SMS devices, those devices will be unpaired if the SMS configuration is disabled. If the SMS configuration is enabled again, it will not automatically pair those devices, and they will remain unpaired.

Usage limits for SMS pairing and authentication

The daily counters are reset every night at midnight UTC.

PingID Account Types

Usage PingID Trial PingID Licensed

Enrollment/Pairing

100 per organization

Unlimited

Authentication

5 per user per day (used or unused)

  • Used: 15 (default).

    Configurable to a value between 1-50 per user per day per application.

  • Unused: 10 (default).

    Configurable to a value between 1-50 per user per day per application.

Used and unused SMS limits

Term Description

Used

The number of SMS authentication requests a user may receive and respond to each day.

Unused

The number of SMS authentication requests a user may receive and not respond to each day.

Pairing a user’s device using SMS

An SMS device can be paired as a user’s primary device, or as an additional device. If the user has no primary device, the SMS device is paired as the user’s primary device, otherwise, it is paired as a secondary device.

  • It is possible to name the device during the pairing process or from the self service page, depending on customer implementation.
  • If the device was not named, the PingID SDK server allocates the default name “Mobile #”, where the first SMS device is “Mobile 1”, the second is “Mobile 2” and so forth, according to the number of SMS devices paired by the user.
  • The pairing message content is provided by the organization. It is possible to send a pairing message in any language.
  • Trial accounts are limited to 100 pairing SMS messages per account. Fully licensed accounts have an unlimited amount of pairing SMS messages.
  • The pairing process fails at any stage of the flow if:

    • The application is disabled.
    • The user is suspended.
    • The SMS authentication method is disabled for the application.
    • The user has reached the maximum number of allowed devices.
    • The SMS sender ID, if provided, is invalid.
    • The SMS message is invalid.
    • The trial account has reached the limit of 100 pairing SMS messages.

    Refer to Offline devices (SMS) pairing API for more details.

  • In order to avoid cases of race conditions and confusion in cases of pairing processes which are pending, a new pairing process only invalidates unfinished pairing processes of the same authentication method for this user in this application. For example, initializing a new mobile pairing process invalidates pending mobile pairing processes for this user in this application, but not pending pairing processes for other device types such as SMS or email.

Manual OTP pairing

The manual OTP pairing process comprises 2 steps:

  1. The user receives a message (for example, an SMS) with a one time passcode (OTP).
  2. The user, in turn, has to use the OTP in order to finalize the pairing process. If the user enters an invalid OTP 3 times in succession, the pairing process fails.

Automatic OTP pairing

In automatic OTP pairing, the SMS device is paired without user involvement, and is transparent to the user. In this case the user doesn’t have to use the OTP in order to finalize the pairing process.

Authentication using OTP

OTP authentication comprises 2 steps:

  1. The user receives a text message with a one time passcode (OTP).
  2. The user, in turn, has to use the OTP in order to finalize the authentication process. If the user enters an invalid OTP 3 times in succession, the authentication process fails. If the authentication process is not finalized with a valid OTP within 30 minutes, the authentication process is automatically cancelled.
  • The SMS sender ID, if provided, is invalid.
  • The SMS message is invalid.
  • The user reached the daily used or unused SMS messages limit.

Refer to Authenticate with SMS for more details.

SMS device management

Device management includes functionality for device unpair, bypass, renaming and transition between the primary and secondary device roles. This functionality is implemented for SMS devices in the same manner as for mobile application devices.