Enable MFA


MFA settings

The multi-factor authentication settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability.

For information about user MFA device management, see Enable user devices.

Users MFA settings API operations

The users enable MFA endpoints support the following operations:

For hands-on experience with the users API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

MFA settings data model

Property Description
id A string that specifies the user resource’s unique identifier.
mfaEnabled A read-only boolean attribute that specifies whether multi-factor authentication is enabled. This attribute is set to ‘false’ by default when the user is created.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.

Endpoint examples

Get MFA enabled setting

When a new user resource is created, the mfaEnabled attribute that controls the user’s ability to use multi-factor authentication is set to false by default.

For existing users, you can use the GET /environments/{environmentId}/users/{userId}/mfaEnabled operation to check whether the specified user is enabled or disabled.

curl -X "GET" "https://api.pingone.com/v1/environments/{environmentId}/users/{userId}/mfaEnabled" \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/b7372995-824b-44ff-99f8-ab151dac3263/users/05ad3cc6-8723-4f85-9711-05ad549717f6/mfaEnabled"
    },
    "user": {
      "href": "https://api.pingone.com/v1/environments/b7372995-824b-44ff-99f8-ab151dac3263/users/05ad3cc6-8723-4f85-9711-05ad549717f6"
    }
  },
  "mfaEnabled": false
}

Update MFA enabled setting

The mfaEnabled attribute is a read-only attribute that cannot be changed through calls to PUT /environments/{environmentId}/users/{userId} or PATCH /environments/{environmentId}/users/{userId}. However, you can update the mfaEnabled value by calling the PUT /environments/{environmentId}/users/{userId}/mfaEnabled endpoint.

The following sample shows the PUT /environments/{environmentId}/users/{userId}/mfaEnabled operation to enable the user resource’s ability to use multi-factor authentication.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/users/{userId}/mfaEnabled" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
   "mfaEnabled": "true"
}'

The response returns a 200 OK message. The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/b7372995-824b-44ff-99f8-ab151dac3263/users/05ad3cc6-8723-4f85-9711-05ad549717f6/mfaEnabled"
    },
    "user": {
      "href": "https://api.pingone.com/v1/environments/b7372995-824b-44ff-99f8-ab151dac3263/users/05ad3cc6-8723-4f85-9711-05ad549717f6"
    }
  },
  "mfaEnabled": true
}