Once a user has paired a device, he can pair additional devices to his account, by downloading the same customer mobile application to the new devices, and logging into his account. In order to authorize the new device, the PingID SDK server will send an authentication request to the already trusted device (usually a primary device), with the details of the new device. The user will then need to authorize the new device.
- The user identifies himself on the customer mobile application, usually with a username and password.
- The PingID SDK component passes a payload to the customer mobile application.
- The customer mobile application sends an authentication request to the customer server, with the username, password and payload.
- The customer server performs the first factor authentication, and if it’s successful, it sends a request to PingID SDK server to get a user. The user resource contains the status of the user and his devices.
- The customer server sends an authentication request to the PingID SDK server.
- The PingID SDK server sends a push notification to the PingID SDK component on the user’s paired device. This triggers an event in the paired customer mobile application with available trust levels that the user can choose for the new device:
- Pair this device as a Primary device. This option is available only if the user doesn’t already have a primary device.
- Pair this device as a Trusted device.
- Ignore this device for an interval of time.
- Deny access to the new device, for this login attempt.
- Block access to the new for future device via login attempts.
- Based on the user’s choice, the paired customer mobile application invokes a function in the PingID SDK component, with the new device’s trust level: Primary, Trusted, Ignore, Deny or Block.
- The customer mobile hosting application on the new device sends a request to the PingID SDK server, with the user’s choice.
- The customer mobile application on the new device receives the payload and passes it in the response to the PingID SDK component.
- The PingID SDK component receives the server payload. The payload contains the data required to complete the pairing process of the new device if the user chose it.
- If the user selected to approve the device, the function in the PingID SDK component pairs the new device.
After pairing of the new device is completed during the login process, a new payload is generated on every login, exactly like in the pairing flow, that allows PingID SDK to perform device authorization.
The system administrator can configure PingID SDK to add extra verification push - an out of band push message to be sent to the device as part of the authentication process, which provides a superior level of security. Extra verification is not necessary condition to complete authentication successfully. Final decision applies the customer server.