Authentication considerations

There are specific cases that admins and developers should consider when integrating the PingID SDK component into the authentication process:

Device selection for authorizing a new device, when there is more than one trusted device

If a user has a primary device or only one trusted device configured, that device will be used for authorizing a new device or for performing authentication.

If a user has more than one trusted device but no primary device, or if the configuration of the application is to always let the user choose the authenticating device, then the customer server will have to determine which paired device to use.

In this case, the customer server determines which device to use, according to the following approaches:

  • Relying on its own business logic (first paired device, latest used paired device, most used paired device, or any other logic).
  • The user selects which device to use. The PingID SDK component supports retrieving the user’s paired devices. This list can then be displayed to the user, who selects the device to use for authorization.

New device authorization when the trusted authorizing device is offline

If the trusted device you want to use in order to authorize a new device is offline, or cannot be reached by the PingID SDK API, you can still authorize new devices by using a One Time Passcode (OTP) from the trusted device.

In this case, after trying to reach the trusted authorizing device and failing, the user can be prompted to choose to enter the OTP value from the authorizing device, which will then be sent to the customer server, which in turn will send it to the PingID SDK server. The server payload will be returned to the customer mobile application, and then passed to the PingID SDK component, which will complete the pairing process.